The present and future of BitDefender security products

Jun 5, 2010 10:07 GMT  ·  By

BitDefender has been an important player on the antivirus market since its inception, in 2001 and has gained increasing popularity due to the high quality products delivered. The money makers of the company on the home use segment are BitDefender Antivirus, BitDefender Internet Security and the ultimate suite,BitDefender Total Security. However, there are also free products available, such as online services Online Scanner and cloud-based QuickScan or downloadable products like BitDefender Free Edition, BitDefender Anti-Phishing or BitDefender Chat Encryption.

Catalin Cosoi, head of the Online Threats Lab of the Romania-based security company accepted to answer some questions about the new technology introduced in the upcoming line of products as well as side-projects such as saf.li URL shortening service. Cloud-computing or methods to detect the new and improved malware code are subjects that have not been avoided in the interview.

Softpedia: Other antivirus vendors are turning their attention to cloud-assisted malware detection technologies in order to increase the performance and efficiency of their products. What do you think are the benefits and disadvantages of this relatively new approach? Is BitDefender considering a similar direction in the future?

[admark=1]Catalin Cosoi: Cloud technologies are now an essential part of the users’ interaction with miscellaneous services. With applications ranging from popular social networks to word processing and corporate email, cloud computing is now everywhere. However, given the fact that these technologies are quite new, they may come with a twist. Generally speaking, one of the most important threats to be considered when discussing about a cloud-based service is the possibility for it to be hit by distributed denial-of-service attacks to render it inaccessible to the vast majority of the users. There have been quite some cases in the wild when popular video sharing and free blogging platforms have been massively attacked in order to prevent their users from accessing it.

On the security side of cloud computing, one of the most obvious drawbacks in its implementation is the host’s dependence of a working Internet connection. Yet, the aspect has been mitigated by BitDefender with the introduction of additional layers of protection, including conventional string scanners and behavioral analysis.

BitDefender has been one of the first adopters of cloud computing applied in AntiMalware. Officially introduced on February 2009, QuickScan is an online scanning tool that uses a new technology to combine intelligent local scanning and in-the-cloud scanning, which detects e-threats in memory quickly. The upcoming security products in the 2011 generation will also make heavy use of cloud computing to boost performance and increase detection rates. Apart from QuickScan and the BitDefender 2011 family of products, we are also working on new approaches to cloud security, which will be announced and detailed upon in due time.

Softpedia: ALWIL's Chief Technology Officer, Ondrej Vlcek, recently told us that the market had started leaning towards free antivirus products. Several new such offerings have appeared in the past year alone, while older ones have consolidated their position with new and improved versions. Do you plan to make your own Bitdefender Free Edition Edition product more competitive by integrating new features?

Catalin Cosoi: Along with our line of consumer and enterprise products, we have also brought significant changes in the BitDefender Free offerings. Not only that we continue to improve the BitDefender Free Antivirus to make it faster and more optimized in terms of resource consumption, but we also added – as of June 2009 – other products to the free line-up: BitDefender Anti-Phishing Free Edition and BitDefender Chat Encryption.

Softpedia: A project called matousec has recently disclosed an attack against SSDT hooking, a technique used by many antivirus products to implement their host intrusion prevention systems (HIPS). According to the research, the attack would enable a malicious program capable of evading traditional detection mechanisms (a common occurrence today) to disable the more advanced layers of protection. Since BitDefender Total Security was on the published list of vulnerable pieces of software, can you comment on the impact of this vulnerability and tell us how you plan to mitigate it?

Catalin Cosoi: The exploit has its limitations: it requires a large amount of code to be loaded onto the targeted machine, which makes it impractical for shellcode-based attacks or attacks that rely on speed and stealth. Also, it can be carried out only when the attacker already has the ability to execute arbitrary code on the targeted PC. The exploit also has to be timed just right so the benign code isn’t switched too soon or too late.

On the other hand, although a part of their research is correct, there are many arguments than can be brought to the table. The first one would be the fact that this technique is not as easy as it sounds and it involves a very specific set of circumstances that need to be in place for this type of attack to be successful and also a fair amount of luck.

The second argument is that, in order for this to work, the attacker must already be able to run executable code on the user’s machine which means that it already passed the antimalware product.

The third one is the fact that a security solution involves several security checks, and not all use SSDT, which makes the list of circumstances that need to be in place even longer. The forth one would be the fact that there are no SSDT exploits in the wild, let alone one that can bypass BitDefender, and if they were, we would simply add detection for that (if for some reason, we wouldn’t detect them already). There are several other arguments that can be brought, but the bottom line is that this technique is difficult to accomplish and there are several other simple ways you can run malicious payloads on targeted machines, by simply asking the user to stop the AV protection for a certain amount of time if he wants to run specific software.

Softpedia: It's a known fact that virus writers test their malicious programs on custom underground services similar to VirusTotal to make sure they evade antivirus detection before releasing them in the wild. With complex threats like ZeuS or Clampi, where a single hit can lead to hundreds of thousands of dollars in losses, missing an infection can mean putting a company out of business. Because of many such incidents, people are losing faith in the ability of AV vendors to protect them. Meanwhile, the next generation of banking trojans is expected to be even more aggressive and hard to detect. What do you think the solution to this problem is and what is BitDefender doing on this front?

Catalin Cosoi: One small clarification before we dig deeper into the question: VirusTotal is an extremely reputed web service that – although it may be used by malware authors to test their creations – has been built with totally legitimate purposes in mind.

It is true that some e-threats see even 100 builds per day to help them evade string scanners, but professional security products such as BitDefender do not solely rely on string scanners. BitDefender currently includes string scanners, heuristic and behavioral protection as well as Anti-Rootkit technologies able to detect and block some of the most destructive pieces of malware. Also, the industry-leading hourly update is another commitment to the end-users that they are protected even against threats compiled and released two or three hours ago.

Softpedia: What would you say is the most significant improvement/feature in the next major version of your antivirus product? Also, when should we expect it to hit the shelves?

Catalin Cosoi: Undoubtedly, one of the most important features in the upcoming suite of BitDefender products is the introduction of the in-the-cloud scanning technology, the cornerstone of the highly popular QuickScan online scanning tool. Along with the introduction of cloud technologies, the new product will also feature an overhauled Parental Control module, as well as a highly simplified interface to minimize the users’ interaction with the product. The upcoming antiphishing toolbar will not only detect phishing websites, but also fake banks, inexistent web shops and a wide range of threats that can’t be labeled as phishing attempts, but would eventually cause the user the same harm.

As for the release date, BitDefender products will reach the stores in mid-July.

Softpedia: What is BitDefender's current position on the antivirus market in terms of active users and which are its main competitors?

Catalin Cosoi: Every day, BitDefender protects tens of millions of home and corporate users in more than 200 countries, as well as some of the world's largest corporations

Softpedia: Comodo has recently released its Internet Security product and literally put its money on it by offering a reimbursement of up to $500 for repairs resulting from a virus infection occurring on its watch. Do you think that such protection is possible, considering the zero-day attacks nowadays?

Catalin Cosoi: As odd as it may seem, zero-day attacks are not even by far the most important vector of infection. Traditionally, in order for this kind of exploit to work, the attacker needs to target the exact software configuration to trigger a malicious payload. For instance, for a PDF exploit to be successfully carried out, the user has to visit a specific web page using a specific version of Internet Explorer, running on a specific version of the Windows operating system and, of course, having a vulnerable version of Adobe Reader installed. If one of these prerequisites is out of place, then the whole attack fails.

More than that, BitDefender’s proactive protection proved that it can detect and successfully block such exploits before they are even launched in the wild. This is exactly what happened with the IE8 / IE7 / Adobe PDF exploits detailed in CVE-2010-0249 and CVE-2010-0806 (also known as Operation Aurora / Comele), and detected by BitDefender three months before they were spotted in the wild. So, yes, we believe that total protection can be achieved if using the appropriate AV solution.

Regarding the reimbursement, we believe that a specific amount of money would only bring the user a false sentiment of security. As you stated in question number 4, a single “hit can lead to hundreds of thousands of dollars in losses”, and this means that paying the user $500 wouldn’t by far cover the damage.

Softpedia: BitDefender has licensed several products to Acronis, giving it a chance to reach a new audience. Is it possible to see BitDefender products include Acronis features? It is a leader in backup technology and your Internet Security features backup capabilities.

Catalin Cosoi: Although BitDefender includes a backup feature, its primary purpose is to serve as an antimalware utility. We believe that adding a dedicated backup feature is not in line with our area of expertise and subsequently we have no plans of integrating such features in our products.

Softpedia: We have become acquainted with Saf.li, BitDefender's URL shortening service. Can you tell our readers more about the URL scanning technology behind it? Does it use real-time code analysis, sandbox-assisted behavioral detection or a blacklist maintained by BitDefender? Also, some webmasters have expressed concerns about unnecessary and, in some cases, erroneous traffic generated by Saf.li. Has the issue been spotted and fixed?

Catalin Cosoi: Saf.li uses an innovative combination of BitDefender’s antimalware and antiphishing engines that are also the cornerstone of the BitDefender security products. As the user accesses the saf.li link, the service fetches the web page, strips its contents and parses it in search of malicious scripts and potentially unsafe hyperlinks (for instance, links leading to phishing or malware-infected websites ).

Softpedia: Are there any special features, aside from the BitDefender-powered URL scanning, that are particular to Saf.li? What adoption rate do you expect? We understand the marketing benefits for an AV company to provide security for a URL shortening service. But why not partner with one that is already well established and has a consistent user base? Wouldn't this have a bigger impact rather than running your own service?

Catalin Cosoi: Unlike average URL shortening services, saf.li has been designed with other features in mind. The primary role of saf.li is not to shorten URLs, but rather to tell the users if they could get exposed to various types of malware by simply visiting an URL. The shortening system is more of a bonus feature rather than the ultimate purpose of saf.li.