Aug 24, 2010 11:29 GMT  ·  By

Recently we had the opportunity to interview Ondrej Vlcek, the chief technology officer of Avast Software, the company behind one of the most popular and feature-rich anti-malware products on the market – avast! Antivirus.

To make for an easier reading we split the interview in two. We already published part one, which covered the more general questions about security in operating systems, browsers and popular applications.

In this second part we ask Mr. Vlcek about upcoming features in avast! Antivirus, as well as other products the company might have in store for us. We hope you'll enjoy reading it.

Softpedia: The new management console in the upcoming avast! Antivirus 5.1 can function both as a Web interface accessible via the browser, as well as a Silverlight-based Rich Internet Application (RIA) running on the desktop. Why have you chosen Silverlight and not some other RIA technology like Adobe AIR or JavaFX?

Ondrej Vlcek: That was a practical decision, because the people that we had here were more experienced in Silverlight. Also the technology was sufficient for us, allowing us to provide what we intended. There wasn't any other specific reason.

Softpedia: So the decision was solely based on expertise.

Ondrej Vlcek: Yes. We had some very good people for .NET, the platform used inside Silverlight. Also we have a very good relationship with Microsoft, so chances of getting good support from them were high.

Softpedia: What kind of a solution do you see for combating black hat search engine optimization (BHSEO)? To warn users in advance that they shouldn't click on certain search results. A blacklist or maybe a real time thing?

Ondrej Vlcek: Currently we rely on the Web Shield to do the filtering for us. That's scanning in real time, so it doesn't use any static blacklist, which is very good. On the other hand we understand that, for example, giving users hints on search results may be very appreciated. It's a nice feature to have a certain understanding of whether a site can be trusted or not in advance.

We are also looking into a web reputation type of thing. Like a voting platform that would allow our community to decide if a website is malicious or not.

Softpedia: But if, for example, one of your users goes to a website and something on that website triggers a detection from their antivirus, you could use that to inform others in real time that at least for a certain period of time that website shouldn't be trusted.

Ondrej Vlcek: Yes. We can display an exclamation mark next to the search result. That's very likely coming in version 6, together with the voting. It's more about reputation really.

Softpedia: So, something like McAfee SiteAdvisor or similar?

Ondrej Vlcek: Well, McAfee SiteAdvisor is about malware and stuff like that, because they use crawlers.

Softpedia: Ok. So then, more like WOT (Web of Trust)?

Ondrej Vlcek: More like that, yes. I think WOT also tries to market itself as a security solution. For us, the voting will probably be very similar to product ratings on Amazon.com – one to five stars.

It's very subjective, but if you have sufficient number of votes than it has some value. People are pretty good at understanding whether a given site ripped them off or offered a good experience. Especially for e-commerce sites it's very important.

Softpedia: But you're also considering leveraging what avast! installations report in real time?

Ondrej Vlcek: Yes.

Softpedia: Can you disclose other noteworthy features you plan for version 6?

Ondrej Vlcek: Version 6 will have a lot of cloud infrastructure. I have to say, I hate the word cloud.

Softpedia: So let's say server-assisted.

Ondrej Vlcek: Server-assisted infrastructure. We don't really have a problem with the delivery of updates or definitions. That's what most so called "cloud antiviruses" do. They use the cloud to get rid of the problem of delivering updates to users. We can do this even better than many of the paid vendors.

On the other hand, we understand some of the things that could be done like a dialog between the client and the server.

Softpedia: Like building a signature for a file, then taking it to the server to check in real time if other people have it.

Ondrej Vlcek: Yes. If it's more like a ping pong conversation between the client and the server, then it can have some very good meaning and can bring good value to our users. That's something we are in the process of implementing and we believe that it will substantially improve things.

Softpedia: Increase performance and detection.

Ondrej Vlcek: Yes. Performance we always worry about, because we have a huge user base and people use different Internet connections. Even people who normally use broadband, from time to time when they travel, they have to go with mobile connections.

And in order for an antivirus to be truly unobtrusive, you have to make it so that even with these connections it doesn't slow things down. Obviously we can't upload files on dial-up, because it will take a long time. You have to be very careful about implementing it, so that its all done very transparently and very fast.

Some of the current vendors of so called cloud antiviruses claim that one of the biggest advantage of cloud AVs is that they're lighter than the normal, more traditional products. I don't believe this is the case really. Because you can't really do all the processing in the cloud.You still need to have some logic on the client.

And the other thing is that, even if you have a very good network and geographic spread, the latencies that users will see will probably be much higher than what it normally takes to scan a file using traditional methods. That's one of the main focuses of the project – speed and performance optimization. We definitely want to have avast! 6 at least as fast as version 5 is.

Softpedia: So, cloud technology and website reputation. Those are two features to expect in version 6.

Ondrej Vlcek: Yes.

Softpedia: Compromised legit websites are amongst the primary attack vectors today. We think webmasters would benefit from a system that could alert them if some unauthorized change is made to their website. As a security vendor are you considering providing such a website integrity monitoring service?

Ondrej Vlcek: It's interesting that you ask this, because it's one of the projects we are currently working on. We're still developing it, but it will be ready before the end of this year.

Softpedia: Does it scan in real-time?

Ondrej Vlcek: It will use intelligence from our user base. So, basically when we'll see any avast! installation triggering an alert on a specific website, we will be able to notify its owner.

Softpedia: What about mobile malware? Are you preparing any solutions for such threats?

Ondrej Vlcek: The situation is actually quite calm for now. I think the main reason for that is that most of the mobile platforms enforce digital signatures on all code. And not only that, but signatures are issued by the phone operator.

The only platform that doesn't do this is Android. It does require digitally signed binaries, but on the other hand it also accepts self-signed certificates so it's easy to sign a package and distribute it.

So yes, we think there is a potential for malware. We're not developing any Android or other mobile anti-malware solution for now, but we want to be ready and we're monitoring the situation.

Softpedia: False positive incidents can affect a lot of people and can leave computers unable to boot. There have been some big cases this year from vendors like BitDefender or McAfee. What are you doing to avoid such issues?

Ondrej Vlcek: We try to fight the false positive problem on many fronts. First there is our quality assurance process, which dictates that all definition updates must first be used to scan our internal clean sets of files – one bigger one smaller. Before they go out to users the updates need to pass both scans without any incidents.

The clean sets consist of terabytes of data and we try to keep them current using sources like Softpedia and others. That is very important for us. But the process is only as good as the people who run it, so there's always a chance that something will not get properly tested.

We also keep a whitelist of digital certificates from software publishers that we trust unconditionally, like Microsoft or Adobe, which we can revoke at any time. Every time a detection is triggered in our user base on any file that is signed by these vendors, the product doesn't take any protective action. It doesn't quarantine it or anything. Instead, it creates a package with information about the file, which gets uploaded to our servers and we get notified to investigate.

We also have a community phone number, that we give out to our evangelists. These are over one hundred people, who are most active in our community and can call and alert us of any major problem. This number should get through at least seven or eight people here, so even if it's the middle of the night it's very likely that someone will pick up the phone and be able to do something about it. This is like a last line of defense.

Softpedia: Tell us more about how the certificate revoking works, because revoking a certificate doesn't mean the already-signed malware will stop working. It just mean the certificate can't be used to sign new malware.

Ondrej Vlcek: We use our own algorithms for digital signature verification. We don't trust Windows' digital signature infrastructure. The reason for this is that it's very easy for malware to hook into this infrastructure.

Image you have a computer that already has some piece of malware installed on it. It's actually very easy for the malware to hook the verify-trust type of functions, basically the API for digital signature verification. So, we don't trust this at all. We have our own system for verification, our own certificates that are trusted, root certificates, etc.. So if there is a signed rootkit, we can easily block it.

(Transcribed from audio)