IDC Defending Against The Unknown

8/14/2019 IDC Defending Against The Unknown

1/14

W H I T E P A P E R

Z e r o H o u r V i r u s P r o t e c t i o n : D e f e n d i n g A g a i n s t t h eU n k n o w n

Sponsored by: VirusBuster, BlueCat, G-Data, AhnLab, Commtouch

Dan Yachin, Research Director, EMEA Emerging Technologies

August 2005

I D C O P I N I O N

Despite the massive deployment of antivirus solutions, viruses and other types of

malware are still the greatest security threat for enterprises. Fighting malware is a

perpetual war, in which attackers constantly identify and target emerging

vulnerabilities order to stay one step ahead of defenders. Today, many rapidly

propagating attacks are aimed at the weak spot of traditional antivirus solutions,

which are based on developing new signatures for new threats a time-consumingprocess (hours-long at best) that creates a window of vulnerability where end users

are unprotected. In light of these threats, organizations can no longer solely rely on

reactive signature-based solutions. To protect against new and unknown threats,

more proactive approaches should be applied, providing improved response times

without compromising detection levels.

M E T H O D O L O G Y

IDC developed this white paper using a combination of existing market forecasts and

direct, in-depth, primary research. To gain insight into the challenges of fighting

modern malware, especially sophisticated rapidly propagating threats, and to learnabout how Commtouch's Zero-Hour Virus Protection can help mitigate associated

risks, IDC interviewed the company team on the issues of technology, product

offerings, competitive landscape, and go-to-market strategy. IDC also interviewed

vendors employing Commtouch's technology including BlueCat Networks and

VirusBuster.

I N T H I S W H I T E P A P E R

This IDC white paper looks at the problem of zero-hour malware outbreaks that are

aimed at infecting as many machines as possible before vaccinations are available. It

provides an overview of traditional signature-based antivirus technologies and theirweaknesses in protecting against this type of attack, and examines different proactive

virus detection and protection approaches.

CentralandEas

ternEurope,MiddleEast/AfricaHeadquartersMALENAMESTI1311000Praha1CzechRepublic

P.420.2.2142.3140


2/14

2 # 2005 IDC

E X E C U T I V E S U M M A R Y

More than two decades since their first appearance, computer viruses remain a

serious problem. The financial costs of viruses are still substantial as defenders

struggle to keep up with the growing sophistication and effectiveness of malware

attacks. The emergence of rapidly propagating malware designed to cause mass

infection before signatures are available has taken the armament race between virus

writers and antivirus developers to a new level. These attacks are becoming

increasingly sophisticated: some of the most recent malware outbreaks introduced

new threats such as multi-variant viruses, and spyware-carrying worms that use a

spam-like distribution technique to propagate. In order to fight these threats

effectively, new approaches towards proactive virus protection are more important

than ever. One of these emerging approaches is Commtouch's Zero-Hour Virus

Protection technology, which enables detecting any type of attack that carries the

characteristics of a massive outbreak, regardless of its payload.

S I T U A T I O N O V E R V I E W

C u r r e n t M a l w a r e T r e n d s

Malicious software, or malware, is a general term for any software that is designed to

cause damage to computer systems when executed. This definition refers to various

types of malicious code (e.g., viruses, worms, Trojan horses, zombies, trapdoors,

logic bombs, key loggers), but the most common and damaging are replicating

malicious code programs, known as viruses.

Viruses have come a long way since the early days in which they spread from one PC

to another via diskettes. To a large extent, it is no longer the playground for amateursthat fall into the stereotype of bored teenagers seeking notoriety. Today's malware is

in many cases the business of professionals and even criminals. Correspondingly, the

motivations that drive malware authors are changing and a growing number of attacks

are financially-driven rather than simple pranks.

In light of the growing sophistication of malware, the effectiveness of attacks is on the

rise and so is the financial impact. According to the CSI /FBI 2004 Computer Crime

and Security Survey report, viruses were the type of security incidents that generated

the largest losses in 2004.

On the surface, these findings may seem puzzling given the fact that antivirus

solutions are used by the vast majority of organizations. Still, in a recent IDC survey,

90% of large companies were hit by a successful virus attack this year; moreover,

40% reported 11 or more successful attacks in 12 months (see IDC's Enterprise

Security Survey 2004, #32593).


3/14

2005 IDC #

F I G U R E 1

N u m b e r o f S u c c e s s f u l A t t a c k s i n t h e P a s t 1 2 M o n t h s b y

C o m p a n y S i z e

Q. How many attacks, including (but no limited to) viruses, hacks, Trojan horses, and worms,

against your company's enterprise network defenses successfully breached security in the

last 12 months?

n = 477

Note: Small companies are those with 1-99 employees; medium-sized companies are those with100-999 employees; large companies are those with 1,000-9,999 employees; and very large

companies are those with 10,000+ employees.

Source: IDCs Enterprise Security Survey, 2004

T h e W e a k S p o t o f T r a d i t i o n a l A n t i v i r u s

A p p r o a c h e s

The growing effectiveness of malware can be explained by its dynamic nature.

Malware writers make concerted efforts to find weak spots in enterprise security

systems, and to overcome them. In this regard, malware writers have realized that

organizations' reliance on signature-based antivirus products creates a significant

window of vulnerability, and are targeting it in various ways.

The problem of signature-based AV solutions lies in their reactive nature. A signature

development cycle consists of obtaining a sample of that virus (which means a new

threat can only be identified when it is already on the loose), initial virus signature

development, production-level signature development, and eventually customer

update an hours-long process at best, in some cases 24 hours and more. According


4/14

4 # 2005 IDC

to AV-Test, a German-based independent lab that is constantly testing the

performance of leading antivirus products, the response time of signature-based

antivirus solutions averages 10 hours (see Table 1 below). These results were

received from a testing done last year, which was aimed at measuring the response

times in 45 major malware outbreaks.

T A B L E 1

O u t b r e a k R e s p o n s e T i m e T e s t R e s u l t s

Response Time AV-Vendors

Less than 2 hours N/A

Less than 4 hours Bitdefender, Kaspersky

Less than 6 hours AntiVir, Dr. Web, F-Secure, Panda, RAV

Less than 8 hours Quickheal, Sophos

Less than 10 hours AVG, Command, F-Prot, Norman, Trend Micro,

VirusBuster

Less than 12 hours Avast, eTrust (CA)

Less than 14 hours Ikarus, McAfee

Less than 16 hours eTrust (VET), Symantec (Intelligent Updates, but

not LiveUpdates)

Notes:

Beta definition updates from McAfee (DailyDats) and Symantec (Rapid Release Definitions) were usually available within

less than 4 hours.

Many larger AV companies have Service Level Agreements (SLAs) for a predefined response time with special signature

updates (which are not publicly available).

Response times refer to the time required to detect the main malware component, but not for (possible) dropped files (e.g.,

keyloggers). Only 7 out of 24 tested AV companies were able to detect the dropped components with the first update (or

with a second update that was available a few hours later): AntiVir, AVG, eTrust (VET), McAfee, Panda, Sophos, and Trend

Micro.

Some companies required a few days to weeks for full detection (or even full repairs).

Source: Antivirus Outbreak Response Testing and Impact, Andreas Marx, AV-Test.org (presented at the Virus Bulletin 2004 Conference in

Chicago)

As seen in Table 1, given current response times, signatures developed against new,

rapidly propagating attacks can only slow an outbreak but cannot prevent the mass

infection in the first hours. In the notorious MyDoom attack, for example, it took 6.5

hours from first detection (by MessageLabs) for the outbreak to peak, but the initial

signature was released (by McAfee) almost 8 hours after first detection. It took nearly

9 additional hours before most leading antivirus vendors released production-level


5/14

2005 IDC #

vaccinations. The speed of propagation was a key to the "success" of MyDoom,

which according to different estimates caused more $30 billion worth of financial

damage.

Another drawback of the signature-based approach is the need to produce a unique

signature not only for brand new viruses but also for mutations or variants of existing

viruses. And as the current daily rate of viruses or virus variants found is about 75 to

100 (compared to numerous viruses only two years ago), according to AV-Test,

fighting malware with signature-based weapons becomes a perpetual battle.

E x p l o i t i n g t h e W i n d o w o f V u l n e r a b i l i t y

Recent malware propagation techniques can be categorized into four main classes

all of which aim to exploit the early-hours weak spot of the signature-based antivirus

approach.

The Speed Factor: Mass-Mailing Worms

Perhaps the single most notable characteristic of modern malware is its speed of

propagation, which is the main factor in the success of mass-mailing attacks such as

MyDoom, Netsky, and Beagle. These attacks spread by sending email messages

containing an infected executable attachment. When the attachment is opened, it

sends spoof email messages containing the attachment to email addresses harvested

from the infected computer. In the MyDoom case, this infection technique allowed the

worm to reach mass distribution in only a few hours (approximately 100 million

infected machines within 36 hours, according to various estimates).

Achieving high propagation rates is clearly one of the main design goals of malware

authors today. Modern viruses and worms are not immune to vaccinations they are

designed to infect as many computers as possiblebeforevaccinations are available.

The Volume Factor: Spam-Like Attacks

Unlike worms that propagate by moving from one machine to another, a spam

outbreak targets multiple destinations in an extremely short period of time.

Harnessing spam-like distribution techniques for the purpose of distributing malware

is a new and extremely concerning trend. Unlike worms that spread from one

computer to another, this type of malware is sent in one massive blast.

Attacks using such zombie propagation methods can distribute 100-200 million

messages within several hours (usually less than 5 hours). In other words, by the time

the first antivirus production-level signatures are ready, the distribution cycle is

already completed. This technique is highly effective for Trojan and spywaredistribution, and is therefore often being used in attacks made for material gain.

The Durable Threat: Multi-Variant Viruses

In some of the most recent malware attacks, a new phenomenon of multi-variant

viruses has been spotted. In this scenario, malware writers prepare an "arsenal" of

virus variants. The malicious action itself is the same in all variants, but they differ

enough so that they cannot be blocked using the same signature. As the variants are


6/14

6 # 2005 IDC

released in time intervals, by the time antivirus providers produce a signature for one

variant, a new variant has already been already released.

Such an attack not only exploits the AV window of vulnerability, but it also extends it

keeping end users virtually exposed throughout the entire duration of the attack.

Some of the latest multi-variant attacks lasted days, with a new variant released every

day. Other recent attacks used intervals of about 4 hours, aiming at the estimated

minimum time required for developing new signature.

The Elusive Threat: Blended Attacks

Blended threats combine the characteristics of viruses, worms, and Trojan horses,

and usually exploit known system vulnerabilities to spread through multiple channels

(email, Web, etc.). They are extremely difficult to block, since they often fall beyond

the scope of traditional antivirus solutions. The classical example of a blended attack

is Code Red.

Blended threats often come in the form of (but are not limited to) Trojan horses used

to create backdoors for sending spam or for launching a Distributed Denial of Service(DDoS) attack. In this scenario, the attacker uses the backdoor to remotely control a

group of infected machines (zombies), and to take down a specific Web server by

flooding it with multiple simultaneous requests.

P h i s h i n g A N o M a n s L a n d b e t w e e n S p a m

a n d M a l w a r e

In addition to the above-mentioned propagation techniques, phishing is another type

of threat that exploits current vulnerabilities in traditional security solutions.

The term "phishing" refers to an online fraud technique where a spam message is

sent or pop-up appears that seems to be from well-known of banks, credit cardcompanies, insurance companies, online retailers, and ISPs. Disguised as a

legitimate request for updating or verifying personal information, the spoof message

refers users to the phisher's phony Web site, tricking them into revealing personal

financial information such as credit card numbers, social security numbers, bank

account numbers and passwords. The data can then be used for credit card fraud,

identity theft, stealing money, and so on.

From the security standpoint, phishing presents acute detection and blocking

challenges, for antivirus as well as anti-spam engines. Technically speaking, phishing

is neither spam nor a virus: since it involves no malicious code or even an

attachment, antivirus solutions are completely ineffective against it.

From a technical point of view, phishing campaigns are no different from spam, and

often use the very same propagation techniques. But since most anti-spam solutions

are designed to block spam according to specific text and content attributes, they are

not always successful in blocking phishing messages that appear legitimate.

Unlike spam, which is marketing-driven, phishing has malicious intent; more than just

annoying, it is considered a security threat. Like malware (but not spam), a failure to

block even a few phishing messages at the gate can result in severe damage.


7/14

2005 IDC #

Security managers therefore tend to group phishing with malware, and expect it to be

blocked by their antivirus providers.

F i g h t i n g M a l w a r e : T h e E m e r g e n c e o f

P r o a c t i v e D e t e c t i o n

Malware attacks are becoming much less predictable and more sophisticated, and

are being undertaken using multiple methods. They differ in form, in propagation

technique, and in the nature of their payload. In order to efficiently fight modern

malware that is aimed at the weak spot of signature-based solutions, the security

industry is continuously seeking new tools to shorten response times to attacks. The

proactive approaches that have previously attempted to complement signature-based

solutions can roughly be divided into two main categories according to the techniques

employed.

Sandbox: The sandbox approach is based on running executable and other active

email attachments in a virtual, contained environment, while monitoring them for pre-

defined illegal or suspicious behavior (e.g., modifying registry entries or changing

system settings). Email identified as suspicious is treated accordingly (sustained or

quarantined). A few challenges cloud the sandbox approach: first, the inherent lack of

capacity to detect delayed viruses, as well as "silent" malware such as worms

containing spyware or adware payloads (designed to leave no traces of malicious

activity), and of course phishing. Second, having to actually run the attachments of

each email that enters the organization or ISP is costly and CPU-consuming

(gateways usually avoid this technology).

Heuristic Analysis: Heuristic-based virus detection is based on scanning email

messages and attachments for suspicious code, focusing on common characteristics

(e.g., attachment name that hides its extension, code-line inside the attachment that

modifies registry entries, etc.). Using this technique, some of the new viruses ormutations of old ones are identified based on a resemblance to previous attacks'

characteristics, without the need for signature updates. The major drawback of

heuristic scanning is multiple false positive notifications, as innocent files are

mistakenly identified as viruses if the heuristic engine is too sensitively tuned. On the

other hand, low sensitivity may result in missing new viruses. In addition, malware

authors often test their malicious code against heuristic scanners prior to launch, and

modify it accordingly to avoid detection.

Network-Based Proactive Detection

The abovementioned proactive detection approaches are increasingly being

integrated into antivirus offerings, alongside signature-based solutions. This "layered

security" approach, as defined by IDC, provides organizations with a greater degree

of accuracy in detecting known and unknown threats (see Worldwide Antivirus 2004-

2008 Forecast and 2003 Vendor Shares, IDC #31737). Nonetheless, proactive virus

detection solutions tested by AV-test in 2004 had 39% new-virus detection

levels or lower. Most heuristic-based solutions tested had less than 30% detection

levels.


8/14

8 # 2005 IDC

In light of this, rapidly propagating attacks are still an unsolved problem. As firms try

to address this challenge, an alternative approach of inspecting real-time email traffic

to identify malware outbreaks by their distribution pattern has emerged. This network-

based proactive approach is based on analyzing the attributes of the outbreak itself

(rather than the virus or malware that has already arrived). In addition to improved

accuracy and response times, which are virtually unmatched by any other antivirus

approach, another benefit of the network-based approach is its being agnostic to

specific content attributes. Hence, at least theoretically, any outbreak can be detected

regardless of its content a significant advantage in times when malware is

becoming increasingly sophisticated, dynamic, and elusive.

The major hurdle of applying the network-based approach is that in order to provide

adequate coverage of threats, huge amounts of data must be collected from multiple

locations all across the Internet, and analyzed in real-time. Otherwise, the ability to

track new malware outbreaks as they occur would be significantly reduced. Given this

requirement, the network-based approach is mainly applied by providers of managed

email security services such as MessageLabs and FrontBridge that have access to

large volumes of email traffic.

C o m m t o u c h Z e r o - H o u r V i r u s P r o t e c t i o n

Commtouch is an OEM-focused messaging security vendor, specializing in real-time

protection against email threats such as spam, phishing, and viruses. The company's

Zero-Hour Virus Protection is an emerging network-based proactive malware

detection solution.

F I G U R E 2

Z e r o - H o u r P r e e m p t i v e P r o t e c t i o n

OutbreakPeak

Firstsignature

90% of top AVReleasedsignatures

Zero-HourVirus Protection

20-30 hours

Zero-Hour

detection:

0.5-2minutes

EffectiveAV Signature

OutbreakPeak

Firstsignature

90% of top AVReleasedsignatures

Zero-HourVirus Protection

20-30 hours

Zero-Hour

detection:

0.5-2minutes

EffectiveAV Signature

Source: Commtouch, 2005


9/14

2005 IDC #

Based on the analysis of the characteristics of modern malware outbreaks,

Commtouch's patented Recurrent Pattern Detection (RPD) technology serves as the

foundation for the company's email protection solutions. The first solution developed

with this technology was an anti-spam solution that enables the detection of spam

outbreaks as they occur, using sophisticated algorithms that analyze Internet traffic in

real time. The solution is licensed today by providers of messaging security software,

security appliances, messaging solutions and managed security services, and is used

for the protection of about 35 million mailboxes.

The second solution developed using the RPD platform is the Zero-Hour Virus

Protection, a real-time malware detection and blocking solution that is designed to

identify new outbreaks as they occur. The Zero-Hour solution analyzes email (SMTP)

traffic in real-time, using massive amounts of data collected at different key points

over the Internet to achieve a representative sample of worldwide traffic. In a fully

automated process, data is then analyzed for recurrent patterns of malware

outbreaks, to identify new outbreaks as soon as they are distributed (usually long

before their first instances reach the protected organization).

F I G U R E 3

C o m m t o u c h Z e r o - H o u r V i r u s P r o t e c t i o n

Source: Commtouch, 2005

The Zero-Hour architecture (see Figure 3 above) consists of the Real-Time Detection

Center, which serves as a central repository for storing recurrent patterns along with

classifications that represent the level and type of threat. At the customer's side the

Zero-Hour Engine, which is used for filtering incoming mail, samples "suspicious"messages that are not recognized as known viruses and proactively queries the

Detection Center. According to the classification received, the incoming message is

deleted, quarantined, forwarded, or so on.

The Zero-Hour solution can be integrated into hardware or software gateways,

desktop-based products, managed services, or network appliances.


10/14

10 # 2005 IDC

Aimed at detecting mass outbreak indicators, Zero-Hour is differentiated from other

proactive virus detection technologies by several advantages. First and foremost is

the immediate and accurate detection of new outbreaks. Second, as Zero-Hour is not

focused on identifying specific content attributes, it can capture any type of attack that

carries the characteristics of a massive outbreak, regardless of its payload. This

applies even for blended and other emerging threats that sometimes fall between the

cracks, as in the previously mentioned silent attacks (e.g., phishing and spyware).

Product Offering

Commtouch is positioning Zero-Hour as a complement to existing antivirus solutions,

as it provides the necessary early virus protection layer. By blocking, delaying, or

quarantining suspicious messages long before the availability of the signatures, it

allows antivirus providers to perform the in-depth analysis required for developing

new virus signatures, while keeping customers protected in the meanwhile.

Commtouch's go-to-market strategy is to offer Zero-Hour technology in an OEM

model. The company's prime target audience is prominent providers of antivirus

"engines" looking for a complementary technology to their signature-based one, aswell as messaging security vendors and integrators using Zero-Hour for powerful

differentiation (including security appliance vendors, secure content management

software vendors, managed security service providers, secure email application

vendors, and others).

C A S E S T U D I E S

B l u e C a t N e t w o r k s

Founded in 2001, Toronto-based BlueCat Networks (www.bluecatnetworks.com) is a

leading provider of network security appliances. The company's product line consistsof the Adonis family of DNS and DHCP Appliances, Meridius Security Gateway, and

Proteus Enterprise IP Address Management Appliance.

The Meridius appliance protects organizations against spam and virus threats. On the

spam side, it applies various protection techniques, including blacklisting, whitelisting,

heuristic analysis/Bayesian filtering, and other options. In light of the growing

sophistication of spam, which is becoming increasingly harder to detect, BlueCat last

year decided to enrich its product offerings with additional pre-emptive spam

detection capabilities. After several tests, it signed an agreement to license

Commtouch's Spam Detection Engine, which is based on RPD technology.

Incorporated into the Meridius appliance, it now offers a first line of defense against

new spam for BlueCat customers.

Recently, BlueCat extended its partnership with Commtouch by signing an agreement

to license Zero-Hour Virus Protection and use it in the Meridius appliance. According

to the company, what made it realize the need for proactive virus protection was "the

space between the beginning of the outbreak and the time that antivirus vendors get

the definition right". In response to this gap, and based on its previous successful

experience with RPD, Zero-Hour was a natural choice for BlueCat.


11/14

2005 IDC #

Michael Hyatt, BlueCat President and CEO, finds a similarity between spam and

viruses, which have both reached a point where new approaches need to be applied

in order to fight them efficiently. "What was once acceptable for both viruses and

spam is now not. There was a time when if you stopped 90% of spam that was okay

but now the volumes are so high that 90% could cripple you. Regarding viruses, most

antivirus companies were coming out with updates in 6-12 hours. But looking forward

that might not be acceptable anymore. It is just a cat and mouse game."

Zero-Hour will be implemented as a complementary solution in Meridius, which

already includes an antivirus option provided by F-Secure. BlueCat hopes to obtain

significant advantages from this combination, as Zero-Hour would be able to provide

F-Secure with early alerts on malware outbreaks, allowing it to respond quickly with

signature updates. At the same time, customers will be protected, since the

Commtouch solution quarantines infected or possibly infected messages until further

analysis is available.

BlueCat also emphasizes the ease-of-use and management of Zero-Hour and the

fact that it requires no tweaking of settings. As such, it fits well into Meridius, which is

designed to operate with full transparency for end users and with minimal

administration.

V i r u s B u s t e r

Founded in 1997, Hungary-based VirusBuster (www.virusbuster.hu) is a developer

and provider of antivirus, anti-spam, and other security solutions for enterprises,

SMBs, ISPs, and home users. The company's product line includes desktop, file

server and mail server solutions, as well as an antivirus management system for

Windows networks. The antivirus products are based on VirusBuster's platform-

independent scan engine, which includes such features as heuristic analysis,

emulation technologies, spyware and adware detection and removal capabilities, andnative scanning of compressed files. The scan engine uses a flexible virus database

that is updated on a daily basis.

According to IDC research, VirusBuster is one of the leading antivirus vendors in the

Central and Eastern European region. The company's products are used by other

antivirus vendors, including Sybari Software, which was recently acquired by

Microsoft.

Last year, VirusBuster signed an agreement to integrate Commtouch's RPD

technology into its email protection solutions, to provide an additional layer of real-

time spam detection. Implemented as Extended Spam Protection, Commtouch's

spam engine complements VirusBuster's existing statistical filter that is accompaniedby different techniques, including heuristics, whitelists, blacklists, and real-time

blackhole lists.

Peter Agocs, VirusBusters CTO, notes that right after starting to use RPD

technology, the company recognized the potential of using it not only for spam

detection but for detection of malware groups spreading through email. "The

technology's reactivity has excellent performance, setting a new industry standard for

reaction time, which is such a critical issue nowadays. Commtouch reduces reaction


12/14

12 # 2005 IDC

time to minutes. Zero-Hour, as an online technology, allows users to stop new

malware without updating the client side, which cannot be done in most cases by any

other proactive solution".

VirusBuster decided to evaluate Zero-Hour as a complementary solution to its scan

engine. In six months of testing, Zero-Hour reached a permanent detection rate of

more than 92% (see Figure 4), and achieved 97% in the last period of testing due to

several system changes. During this time, Commtouch's technology allowed

VirusBuster to rapidly detect virus outbreaks, while keeping false positive at negligible

levels. During most of the testing period, false positive levels did not exceed 0.006%

(1 in 16,600 messages), achieving an overall average of less than 0.003%. Based on

this performance, the company decided to license Zero-Hour and to implement it in all

of its email protection solutions as a default component.

F I G U R E 4

Z e r o - H o u r D e t e c t i o n R a t e a t L i v e I S P 6 - M o n t h T e s t

Average 92.73%

0.0%

20.0%

40.0%

60.0%

80.0%

100.0%

120.0%

140.0%

March

1

March

30

April

30

May

31

July 1 July

24

MalwareDet

ectionRate

Beagle.BU/BV Beagle.CH Beagle.CK/CL

Notes:

Detection rates refer to VirusBuster's product featuring Zero-Hour, as measured from March 1st

to June 29th in a real ISP environment.

Detection rates over 100% are caused when Zero-Hour detects malware that the virus scan

engine database fails to detect.

Source: VirusBuster, 2005


13/14

2005 IDC #

C H A L L E N G E S A N D O P P O R T U N I T I E S

Commtouch's Zero-Hour Virus Protection addresses a growing market need for

protection against rapidly propagating malware outbreaks, which are becoming a

major threat to organizations. Unlike other proactive antivirus solutions, the

company's approach is focused on the most intrinsic characteristic of modern

malware achieving mass distribution in a short period of time. This makes Zero-Hour suitable for closing the early-hours window of vulnerability.

The market opportunity for proactive virus detection solutions such as Zero-Hour

could be a significant one, but there are some challenges involved. For example, as

Zero-Hour is a complementary product rather than a comprehensive antivirus

solution, the decision to license the technology to antivirus and secure messaging

vendors makes sense. But there is a limited target audience for OEM agreements,

and success is therefore dependent on partnering with numerous key players.

Going forward, Commtouch should be looking to expand Zero-Hour to cover a larger

scope of threats. As the messaging security space is experiencing consolidation and

convergence of solutions, the next steps could be covering channels such as InstantMessaging and mobile (wireless) messaging, which appear to be among the next

major malware targets.

In the longer term, the "consolidation" of threats that use multiple attack vectors to

spread could spur the convergence of security solutions, mainly at the gateway level.

This situation could create a market opportunity for Commtouch. Although the

company's roots are in the messaging security space, with the right partnerships,

RPD technology could be adjusted to cover HTTP, FTP, and other network channels,

as well as wireless networks. Covering multiple channels with a single underpinning

technology could be a significant advantage in the future market for security solutions.

C O N C L U S I O N

Malware authors today are aiming their efforts at a major window of vulnerability in

traditional defense systems the reliance on signature-based antivirus solutions. As

the time-consuming process of developing specific vaccinations against specific

threats exposes organizations to mass infections by rapidly propagating malware

outbreaks, proactive technologies are increasingly required.

Emerging technologies such as Commtouch's Zero-Hour Virus Protection could have

an important role in mitigating those risks. Combined with traditional signature-based

antivirus solutions, which will continue to be the main method for fighting known

threats, proactive technologies should have an increased role in protecting againstunknown threats.


14/14

14 # 2005 IDC

C o p y r i g h t N o t i c e

External Publication of IDC Information and Data Any IDC information that is to be

used in advertising, press releases, or promotional materials requires prior written

approval from the appropriate IDC Vice President or Country Manager. A draft of the

proposed document should accompany any such request. IDC reserves the right todeny approval of external usage for any reason.

Copyright 2005 IDC. Reproduction without written permission is completely forbidden.

Documents

IDC Defending Against The Unknown