11 Nov Analysts differ on merits of Nova Shield anti-malware product
Madison, Wis. – Depending on who you talk to, the Madison-based NovaShield either has developed game-changing anti-malware technology, or really nothing new.
The product, called NovaShield 2.5, was officially launched Nov. 10 following a six-month trial period as a free public beta. Developed through research at the University of Wisconsin-Madison’s computer science and security lab, it’s a behavior-tracking approach to detecting new and more sophisticated cyber threats like drive-by-downloads, keyloggers, and rootkits.
Game changer?
Based on internal testing, company management is confident the product truly represents something more effective than anything else on the market, and they have offered it on a subscription basis through digital downloads as they seek to find a larger corporate partner for a wider sales and distribution channel.
As CEO Praveen Sinha explained, NovaShield 2.5 works by focusing on identifying malware behaviors. The idea behind the technology, which uses less than a dozen general policies to identify malicious activities in real-time, is to capture and stop malware based on what the malware does. It is not only designed to supplement protection offered by traditional signature scanning anti-virus programs, but also stop rapidly-morphing malware that circumvents signatures and firewalls.
Dr. Hao Wang, director of research for NovaShield, said the technology is different than other behavior-based products in that it uses policy or subscription-based detection. “We use a generic description of what kind of behavior is considered malicious,” explained Wang, the principal architect of the product.
The product, which initially will be marketed to home PC users and small businesses, is a second-generation, behavior-based approach that also reduces the rate of false positives, where harmless software is identified as malware.
Behavior-based detection represents a departure from traditional anti-virus solutions, which focus on identifying malware by using signatures as a tag to mark and quarantine known threats. Analysts and security experts are in agreement about the limitations of identifying malware based on signature matching, but disagree over whether NovaShield’s software is really a superior behavior-based product.
Sophisticated threats
NovaShield received an endorsement from security analyst Robin Bloor of Bloor Research, who put the malware detection challenge in the context of insufficient signature-based solutions.
“The number of viruses and malware out there is growing at an alarming rate, and the idea of tracking them by signature-based solutions alone continues to be absurd,” Bloor wrote in his blog. “NovaShield’s behavior-tracking software maps high- and low-level events at the kernel [the central managing component of most operating systems] in order to block new threats and thereby fills a widening gap left by traditional AV or white-listing products for the average home PC user and small business.”
Neil MacDonald, a vice president and Gartner fellow who covers security and privacy, believes the behavior-based concept deployed by NovaShield is similar to that of U.K. vendor Prevx.
He noted that Prevx uses “signatures,” but they are not based on signatures of malicious code in files. Instead, Prevx signatures are based on events as the code executes, best described as execution signatures or “behavioral signatures,” so its technology uncovers malicious code based on what the code does.
According to McDonald, anti-virus vendors are responding, albeit slowly, in an era of financially motivated, targeted attacks in which consumers can’t keep their desktops and servers patched as quickly as new threats appear.
To address the need for more-comprehensive endpoint protection, he said a large number of products using different protection approaches have entered the market for host-based intrusion prevention systems, or HIPS.
While Sinha said 80 to 90 percent of consumers still rely on signature-based products, MacDonald notes there are a number of competitors in the behavior based space. He pointed out that it’s not new to observe application behaviors – while an application executes – and compare this to predefined rules as to what constitutes good versus bad application behavior. He indicated that Okena, since acquired by Cisco, was the first to use this approach, and others have followed: Entercept, acquired by McAfee; Platform Logic, Sygate, and WholeSecurity, all acquired by Symantec; and Pelican, acquired by Microsoft.
Based on his research, MacDonald believes there are pros and cons to the behavior-based approach. In terms of strengths, he said HIPS-style is the best way to prevent “good code gone bad,” but there is a potential snag. At this level, any of the HIPS protection styles can introduce denial-of-service conditions on applications they protect if the application is determined to be malicious and shut down. As a result, some organizations are reluctant to deploy protection styles on production servers.
In addition, protection styles at this level typically don’t deal with malicious software removal because most solutions do not keep a full record of what the software did during the installation process.
A future investor would want to know what a user could get rid of with such a product, MacDonald said. “A sales proposition that says we’re going to improve security is really hard,” he noted. “It’s about risk reduction. It’s hard to prove a negative; it’s hard to prove bad things aren’t happening.”
NovaShield plans
NovaShield, however, says its security product is designed to find, capture, and eradicate malware.
Thus far, the company has received about $4.7 million in two rounds of angel investing, and further developed the software with $150,000 Phase I and $350,000 Phase II small business innovation research grants from the National Science Foundation.
In addition to Praveen Sinha, NovaShield’s management team includes Dr. Somesh Jha, co-founder and chief scientist.
At the moment, the company is not actively seeking additional investment, but might pursue another round after 2009. In parallel with launching the product, NovaShield is talking with potential business partners about a sales and distribution channel partnership.
Sinha said consumers would be able to evaluate NovaShield 2.5 in relation to other products through rating agencies that typcially test such products and report on their effectiveness. The company also would engage some potential product reviewers going forward, he indicated.