Antimalware and Antispam Technology - Case Study Example

The decision proved costly as the software exhibited a persistent tendency to incorrectly identify Outlook files as malware and permanently delete them. Within two weeks it had deleted dozens of important emails. As no amount of configuring seemed to solve this problem, we made the transition to Symantec's Norton Internet Security. Since 2004, every computer and laptop in our company has been running Norton Internet Security. The software has, quite successfully, prevented users from logging onto a host of sites which we have identified as potentially threatening and from running peer to peer software.

Indeed, the results of the ICT Department's periodic review of the application's logs indicate that Norton Internet Security has effectively protected us from a wide array of malware. Effective protection, however, does not mean immunity and therefore, we have implemented a second level of protection. Following a thorough investigation of anti-malware applications the ICT department decided to implement BINDER. A host-based detection system that can detect a wide class of malware on computers, including worms, spyware, and adware, with few false alarms, it operates through a simple algorithm which is based on inferring user intent.

It detects new unknown malware on personal computers by identifying extrusions, malicious outbound network requests which the user did not intend. At the same time, and as the ICT Director informed me, we have also developed and implemented a large-scale honeyfarm system that ensures high-fidelity honeypot operation, efficiently discards the incessant Internet .background radiation that has only nuisance value when looking for new forms of activity, and devises and enforces an effective containment policy to ensure that the detected malware does not inflict external damage or skew internal analyses.

Operating side-by-side, these two malware detection systems have, over the past fifteen months, effectively protected the company from malware attacks and infections. 3.1 Inferring User IntentI asked our ICT Director precisely how BINDER infers user-intent connections and, in response, he cited a very simple example. Let us assume that a user opens an Internet Explorer (IE) window, goes to a news web site, then leaves the window idle. In this example, new connections are generated in the following four cases:(1) When the user opens IE by double-clicking its icon on My Desktop in Windows, the shell process explorer.

exe (PID=1664) of Windows receives the user input, and then starts the IE process. After the domain name of the default homepage is resolved, the IE process makes a connection to it to download the homepage. This connection of IE is triggered by the user input of its parent process of explorer.exe.(2) Case II: After the user clicks a bookmark of news.yahoo.com in the IE window, the domain name is resolved as xx.xxx.xx.xxx. Then the IE process makes a connection to it to download the HTML file.

This connection is triggered by the user input of the same process.(3) Case III: After receiving the HTML file in 4 packets, IE goes to retrieve two image files from the websites in question. IE makes connections to them after the domain