Energy companies in the US and Europe are being targeted by an increasingly intense campaign of cyber attacks, security researchers have warned.

According to security firm Symantec, power companies in the US, Turkey and Switzerland have been targeted by a group of highly sophisticated hackers, which has been operating since at least 2011.

The group, which researchers have dubbed 'Dragonfly', has been attempting to gather intelligence and gain operational control of systems in energy facilities for an unknown purpose.

"The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations," Symantec said.

"The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future."

Dragonfly's targeting of power companies raises echoes of attacks against the Ukrainian energy grid which plunged parts of the country into darkness in 2015 and 2016. However, researchers have not identified any concrete links between those incidents and attacks carried out by Dragonfly, and warned against jumping to conclusions regarding attribution.

The group mostly used popular 'off-the-shelf' malware and widely-available administration tools to carry out attacks, which Symantec theorised could be part of a strategy to thwart attribution attempts.

Researchers also noted what while parts of the malware used by the group were written in Russian, other parts were written in French another potential false flag to throw investigators off the scent.

"Conflicting evidence and what appear to be attempts at misattribution make it difficult to definitively state where this attack group is based or who is behind it," Symantec said.

"What is clear is that Dragonfly is a highly experienced threat actor, capable of compromising numerous organizations, stealing information, and gaining access to key systems. What it plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so."

Symantec is on track to beat its revenue estimates for the year after seeing a surge in demand from organisations looking to shore up their defences against cyber attacks.

Shares in the Norton anti-virus provider rose 2.5% to $32 in after hours trading as revenue in its enterprise security unit reached $646 million, a 34% rise for Q1 of 2017, according to Reuters. As a result, the company has raised its full year revenue forecast above analyst estimates.

Given the recent increase in cyber attacks, the company has seen a surge in the number of businesses trying to build preventative measures. The WannaCry ransomware attack, which affected around 300,000 public and private organisations across the world, was almost immediately followed by a second ransomware attack through the Petya malware.

Symantec has also benefited from a number of worthwhile strategic decisions, including the purchase of cloud security firm Blue Coat and identity protection provider LifeLock in 2016.

The company reported revenue of $1.23 billion (930m) for the first quarter ending 30 June, a profit of 33 cents per share, 2 cents higher than had been previously expected by analysts. Revenue for the full year is now expected to exceed $5.16 billion (3.9 billion) , up from a $5.10 billion estimate.

Alongside the forecast, Symantec also confirmed it would be selling its website certification business to DigiCert for around $950 million, according to a Reuters report.

Symantec made the news in 2015 when it was forced to fire a number of employees after it was discovered counterfeit certificates had been issued without permission from the company. Although these could have been used to launch security attacks or scams, it is thought the certificates were removed in time before any damage was caused.

Following the incident, Google demanded that Symantec take major steps in order to improve business practices in order to regain the trust of web browsers. However, earlier this year, citing repeated failures to comply with rules, Google once again issued warnings to the company, with rumours suggesting that the company had plans to distrust all Symantec certificates in August.

Cybersecurity firm Symantec has announced its intention to acquire web security firmBlue Coat for $4.65 billion.

Symantec is best known for its Norton series of security products, and also maintains one of the world's largest cyber intelligence networks.

Buying Blue Coat will help it enhance the protections it offers customers, the firm claimed, as well as helping them to securely take advantage of the cloud by combining its own technologies with those of Blue Coat.

Following the closing of the agreement, Greg Clark, CEO of Blue Coat, will be appointed CEO of Symantec and join the Symantec board.

Speaking about the deal, Clark said: "Today, Symantec keeps global enterprises, governments and individual consumers protected with solutions across threat protection. Likewise, Blue Coat is the trusted source for protecting billions of web transactions daily and is the clear leader in the growing cloud security market.

"Once combined, we will offer customers around the world from large enterprises and governments to individual consumers unrivaled threat protection and unmatched cloud security."

He added: "I am very excited about the opportunity to join Symantec as CEO and look forward to working with the strongest, deepest team in security to realise the many strategic and financial benefits this transaction will create."

Dan Schulman, chairman of Symantec, added: "Greg and the entire Blue Coat leadership team have done an exceptional job of strengthening, growing and scaling their business. In addition to a proven track record of delivering scale and profitable growth, Greg brings significant leadership experience, deep security expertise and a history of successfully integrating companies into a single portfolio."

Once the deal has been completed, Symantec plans to merge its threat telemetry with Blue Coat's networks and cloud offerings to provide security solutions across "hundreds of millions of endpoints and servers".

The company also said it will be able to deliver "security for the cloud generation of users, data and apps", applying its data loss prevention software for web proxies and to over 12,000 cloud applications.

Blue Coat provides security to more than 15,000 customers worldwide. For company's fiscal year ending 30 April, it took $598 million in GAAP revenue.

In tandem with the acquisition deal, financial backers of Symantec have stumped up further investments. Silver Lake has doubled its investment to $1 billion, and Bain Capital has pledged $750 million.

The transaction $4.651 billion, to be paid in cash has been approved by the boards of both companies and is expected to close in the third quarter of 2016.

Symantec is terminating its partnership with a reseller that stands accused of duping people into believing they were infected by malware, before charging them hundreds of dollars to remove' it.

Silurian, which was a member of the Symantec partner programme, scammed unwitting users by flagging up fake warnings on their PCs that were designed to look like Symantec's Norton Antivirus product.

The alert, hosted on a now-defunct webpage called quicklogin.us/norton, told users: "System Critically Infected. If you are not able to click on this button, immediately contact Support toll Free Helpline 1-855-637-1900."

Senior security researcher Jrme Segura at Malwarebytes, the security firm that uncovered the fraud, said: "This screen is completely fake, but combined with an alarming audio message playing in the background, it may be enough to dupe some users."

The security company phoned the number anyway to see what happened.

A technician advised them to go to a website that would allow him to take remote control of the computer, letting him perform a diagnostic.

Segura said: "This process is a core part of the scam because it allows crooks to tighten their hold on potential victims. With remote access, scammers can literally do whatever they want on the user's machine including stealing documents to installing (real) malware."

The technician quickly pointed to Windows EventViewer, the error reporting tool that tags applications with yellow and red warning lights for problems that are generally benign, but to an inexperienced user look worrying.

He then offered Norton Antivirus to the researchers at two different price options a one-off fix and installation for $199, or a one-year warranty for $249.

The tool can be purchased for 14.99 online, giving users one year of cover.

After discovering Silurian was a member of Symantec's partner programme, Malwarebytes raised the issue with Symantec, which promised to take immediate action.

A Symantec spokeswoman told IT Pro that it is terminating its reseller partnership with Silurian immediately.

She added: "While we can't say conclusively who was behind this particular scam, we can confirm that this particular site has been taken down and that we are also in the process of terminating our partner agreement with Silurian.

"After identifying any abuse of the Norton or Symantec brand, we pursue our rights and defend our intellectual property, and where necessary will work with law enforcement."

Pictures courtesy of Malwarebytes

Symantec has signed a deal with NATO Communications and Information (NCI) Agency to boost information sharing between the IT security firm and the military organisation.

The deal, which falls within the framework of the NATO Industry Cyber Partnership (NICP), will focus primarily on cyber threats. The two organisations claiming this kind of arrangement often offers the highest-impact, lowest-cost and fastest way to enhance cyber resilience, improve incident handling and mitigate vulnerability to attack.

Koen Gijsbers NCI Agency General Manager said NATO is facing new and increasingly dangerous threats to cybersecurity across the world and these threats could affect national economies and citizens.

"To avoid it, NCI Agency strongly believes in rapid and early information sharing on threats and vulnerabilities with leading companies worldwide, such as Symantec. Trust is the key to success," he said.

Sorin Ducaru, assistant secretary general of NATO's Emerging Security Challenges Division said the agreement was "an excellent and concrete example of how NATO and Industry can work side by side to confront difficult challenges in the cyber domain".

"When it comes to the cyber threat, none of us acting alone can address these challenges as effectively as if we act together. Increased information sharing translates into better cyber defence for NATO, Allies and our industry partners such as Symantec."

Cheri McGuire, vice president of Global Government Affairs & Cybersecurity Policy at Symantec, added that as cyber attacks become more prevalent and threaten society, it is essential that companies and governments work together and share threat intelligence to tackle critical cyber risks.

"The agreement between the NCI Agency and Symantec is another important step in our efforts to build trusted partnerships and defend global networks and critical infrastructure," she said.

At the Wales Summit last year, Heads of State and Government endorsed the NATO Industry Cyber Partnership (NICP) to pave the way for collaboration with the private sector in addressing cyber threats and risks. The agreement with Symantec is the latest in a series of important agreements with Industry in the framework of the NICP.

Fewer spam emails are clogging up inboxes than ever in the last 12 years, according to Symantec, which warned other forms of malware are on the rise.

The overall rate of junk messages fell to 49.7 per cent in June - the first time the total has dipped below the halfway mark since 2003, the security company said in its Symantec Intelligence Report.

The figure is the latest in a downward trend, with 52.1 per cent of emails being spam in April, falling to 51.5 per cent in May.

However, on 18 July some 61 per cent of 17 billion emails constituted junk, the research revealed.

Symantec pointed to a police crackdown on botnet networks, as well as European ISPs sharing information on identified botnet networks in an effort to block them, as the main reasons behind the drop.

Phishing emails also fell, from one in 1,865 emails in May to one in 2,448 in June.

Other forms of malware are on the rise, however, as cyber criminals seek alternative ways to target internet users.

A total of 57.6 million new malware variants were created in June, up from 44.5 million in May and 29.2 million in April.

"This increase in activity lends more evidence to the idea that, with the continued drops in email-based malicious activity, attackers are simply moving to other areas of the threat landscape," wrote Symantec.

These areas include ransomware, which crept from a 12-month low in April to reach 477,000 attacks in June.

Crypto-ransomware, where hackers encrypt victims' data until a fee is paid, was also up in June to reach its highest level in six months.

Dell has published its yearly Threat Report, analysing the most common attacks of 2014 as well as emerging threats organisations should be actively protecting themselves against in 2015.

According to results, point-of-sale (POS) malware, malware traffic in encrypted (https) web protocols and attacks on supervisory control and data acquisition (SCADA) systems were among the biggest problems facing business cyber security in 2014, increasing significantly from the previous year.

Patrick Sweeney, executive director at Dell Security, said: "Everyone knows the threats are real and the consequences are dire, so we can no longer blame lack of awareness for the attacks that succeed. Hacks and attacks continue to occur, not because companies aren't taking security measures, but because they aren't taking the right ones."

POS systems were hit hard in 2014, with many prominent names affected by fraud and identity theft for their customers. According to the report, POS malware has actually evolved over the last year, with Sweeny commenting:

"Malware targeting point-of-sale systems is evolving drastically, and new trends like memory scraping and the use of encryption to avoid detection from firewalls are on the rise. To guard against the rising tide of breaches, retailers should implement more stringent training and firewall policies, as well as re-examine their data policies with partners and suppliers."

Symantec's Internet Security Threat Report, also released this week, has painted a similarly gloomy picture of the ability for businesses to tackle incoming threats versus the increasing sophistication of malware.

"Attackers don't need to break down the door to a company's network when the keys are readily available," Kevin Haley, director of Symantec Security Response, said. "We're seeing attackers trick companies into infecting themselves by Trojanising software updates to common programs and patiently waiting for their targets to download them giving attackers unfettered access to the corporate network."

Worrying results indicated that companies are still taking an average of 59 days to create and distribute security patches, with hackers taking advantage of this gap in cases such as Heartbleed.

Not all threats are being delivered in new and more sophisticated ways, as email is still a huge avenue for cyber criminals, with social media scams coming in just behind.

"Cybercriminals are inherently lazy," Haley added. "They prefer automated tools and the help of unwitting consumers to do their dirty work. Last year, 70 per cent of social media scams were shared manually, as attackers took advantage of people's willingness to trust content shared by their friends."

Ransomware attacks rose by 113 per cent during the last year, with 45 times more victims of these aggressive attacks than in 2013.

Matt White, senior manager in KPMG's cyber security practice, commented: "Whilst technology based solutions still play a vital part of security, in order to begin winning the war' we need to look at more basic strategies.

"Locking down who has access to what in a company's systems (so that people only have the access the need to do their jobs) is a relatively straightforward way to reduce vulnerabilities and risk, yet time and time again we see the fundamentals not being applied. Until we start getting the basics right we won't get ahead of the cyber criminals."

In order to tackle the increase in some security risks, Dell predicts that organisations will begin to use two-factor authentification as part of their policies, and Android will continue to be targeted aggressively by malware writers, specifically targeting apps, banks and certain user demographics.

In addition, as wearable technology starts to take root, malware will react accordingly and begin to target our smartwatches and headsets. Electric vehicles will also be under more threat.

In general, there is a pervading fear that cybercriminals are one step ahead of organisations hoping to stay secure, leading to threats infiltrating businesses before they can conceivably protect themselves.

The long-running Ramnit botnet, which is thought to have infected 3.2 million Windows computers, has been shutdown, thanks to the combined efforts of Europol and the vendor community.

The botnet is thought to have been operational since at least 2010, and has previously been implicated in the theft of tens of thousands of Facebook logins and online banking details.

Its malware is reportedly spread by infecting executable files stored on PC hard drives with copies of itself, as its operators sought to build their botnet.

According to a Microsoft blog post about Ramnit, dating back to 2013, with the botnet in place, the people behind it reportedly turned their attention to using it to carry out dastardly deeds during 2012.

These include stealing online banking logins, passwords, cookies and users' personal information.

The botnet has now been brought to its knees with the help of a cross-continent investigative effort involving teams from Germany, Italy, the Netherlands and the UK working with Europol's European Cybercrime Centre (EC3), as well as representatives from Microsoft, Symantec and AnubisNetworks.

In a blog post by Symantec, published earlier today, the anti-virus vendor confirmed their collective work had resulted in a number of servers owned by the cyber criminals behind Ramnit being seized, along with other parts of their computing infrastructure.

The company has also released a tool, accessible here, for anyone concerned their PC may have been infected by Ramnit.

Wil van Gemert, deputy director of operations at Europol, said: "This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime.

"We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes.

"Together with the EU member states and partners around the globe, our aim is to protect people around the world against these criminal activities."

Kaspersky's Global Research and Analysis Team has denied being asked by a company or government entity to whitelist or stop detecting malware.

The company decided to clear up some rumours about it caving in to external pressures when it explained how it came to uncover the Regin malware, saying the reason it took so long to detect was because finding out the impact and intricacies of malware is a complex, resource-heavy process and involves a lot of cooperation between different security firms.

"Without unlimited resources and the fact that we're tracking multiple APT actors simultaneously (Careto/Mask, EpicTurla, Darkhotel, Miniduke/Cosmicduke, to name a few), this becomes a process that takes months, even years, to gain a full understanding of a cyber-operation," Kaspersky said.

"While some of the Regin samples got on our radar early and we continued to find additional samples and artifacts during the research, we are convinced there are others that are currently unknown and undiscovered," the company said in a blog post.

Regin has been in operation since 2008, Symantec revealed last month and has already been implicated in attacks by governments against large companies, the majority of which are situated in in Russia, Saudia Arabia, Mexico and Ireland. It believes the attack mechanism could have been used by a Western country with sufficient development resources.

"At Kaspersky Lab, we are processing hundreds of thousands of samples every day," Kaspersky said.

"The art of figuring out which ones are significant and further yet which ones belong together as part of a big APT attack is akin to finding needles in a huge haystack and then figuring out which ones belong to the same knitting set. We are grateful for every needle we discover, because this makes the world a little safer."

Security vendor Symantec today announced its intention to split into two companies, just a week after HP did the same.

The anti-virus vendor will divide its business into an IT security arm as well as a backup, recovery and storage division, an area in which Symantec has been building its reputation over recent years.

The company said it took the decision in order to focus on both the security and storage areas, with separate strategies for each, claiming it will lead to growth in both.

CEO Michael Brown said in a statement: "As the security and storage industries continue to change at an accelerating pace, Symantec's security and IM [information management backup and storage] businesses each face unique market opportunities and challenges.

"It has become clear that winning in both security and information management requires distinct strategies," he added.

Security

But the decision comes as Symantec struggles in the security trade, faced with declining PC sales and a rise in mobiles and tablets that its anti-virus business cannot serve.

While its security products generated 2.6bn in 2014, overall company revenue fell 3 per cent to 4.1bn this year, while its operating income dropped nearly 20 per cent.

Its CEO, Steve Bennett, was fired earlier this year after slowing sales, with Michael Brown parachuted in to take on the role.

In a statement to IT Pro, IDC associate director of information security Fayaz Khaki, said: "The security market has and continues to evolve away from the areas in which Symantec have traditionally generated the most revenue.

"As a result their security business has come under threat recently by other niche vendors and also by smaller vendors who have been able to respond to market changes quicker."

He concluded the split makes sense if the company is, as suspected, having problems integrating its security and storage businesses.

Symantec bought enterprise backup software firm Veritas a decade ago, but Forrester's Stephanie Balaouras argued many of its products have grown outdated and Symantec has struggled to integrate it with its security side as a result.

"[Veritas] had the leading volume manager, file system, host-based replication, and clustering technology in the market, but the latter products have all since had limited success as technology has changed," she said.

Symantec has outlined its security division offering, encompassing consumer and enterprise endpoint security, endpoint management, encryption, mobile, Secure Socket Layer (SSL) certificates, user authentication, mail, web and datacentre security, data loss prevention, hosted security and managed security services.

Quocirca security analyst Bob Tarzey was more upbeat about Symantec's prospects, pointing out that its security line up goes beyond simply protecting PCs running Windows.

"PC end-point security sales are important to Symantec, but are not the be all and end all, it has a lot of enterprise security offerings and extensive customer and channel relationships in that area," he told IT Pro.

"The security side of the brand, which has never escaped its Norton heritage, will be free to focus on the future with less distraction from the storage business."

Storage

Symantec sees a 10bn market in storage by 2018, and claims its backup and storage business serves three-quarters of the Fortune 500, and is worth 1.6bn.

Its storage strategy will focus on on-premise and cloud solutions, including NetBackup and Recovery-as-a-Service for the Microsoft Azure cloud aimed at cutting total cost of ownership for storing data.

It also hopes to give more visibility and management capabilities to companies looking to get increased value from their data.

Next year should see the release of Information Fabric, which Symantec claims will give customers more insight into their confidential and sensitive information by using metadata from other tools like NetBackup, Enterprise Vault, DLP, Endpoint Protection and Clearwell.

Gartner had a mixed reaction to Symantec's storage offering, saying its backup products lag behind those of rivals.

"Some of the new functions are playing catch-up with competitors," analysts Gene Ruth, Peter Firstbrook and Tiffani Bova said in a report.

But the analyst house pointed to Information Fabric as a way Symantec could modernise its storage products.

"Symantec's message around Information Fabric Platform' suggests the company will integrate backup, archiving, data loss prevention and e-discovery into a larger, more comprehensive data management solution," analysts Jimmie Chang and Jie Zhang said.

"Cloud, bring your own device (BYOD) and enterprise file synchronisation and sharing are also possibly opening new opportunities to the company."

Meanwhile, Forrester analyst Henry Baltazar said its range of products could see Symantec snapped up by a rival.

He said: "Storage is moving away from appliances and towards software-only storage. Symantec's storage assets would be easier to acquire without the security business because its backup and archive solutions could flesh out a vendor's software-defined storage portfolio."

Are two companies really better than one?

Forrester's Balaouras sounded a note of caution on the split, questioning whether it will help Symantec target IT managers whose priorities include consolidating resources and working with fewer suppliers.

"As standalone companies, they are less appealing as to a CIO who is looking for a handful of strategic partners in technology," she said. "The artist formerly known as Veritas is appealing to the VP of IT operations, while the security part of Symantec would be appealing to the CISO."

However, HP has also announced plans to split down the middle, creating two new companies.

Hewlett-Packard Enterprise will cover its server, networking, storage and cloud technologies, among others, while HP Inc will take on its legacy businesses of PCs and printing.

Symantec could be set to follow HP's lead by announcing a split of its business into separate companies covering security and storage.

According to a Bloomberg report, the company is in advanced talks about splitting in two, although a formal announcement about it is said to be a few weeks away.

Speaking to the publication under condition of anonymity, sources say the move could make either of the separate entities attractive acquisition targets to the likes of EMC and HP.

At the time of writing, Symantec had declined to comment on the report.

Despite its roots as an anti-virus software vendor, Symantec has been making a name for itself in the storage, backup and disaster recovery space for some time.

In recent years, sales of the company's security wares have been negatively affected by the industry-wide downturn in PC sales, while its storage business has shown signs of growth particularly in the case of its backup products.

According to its most recent set of financial results, released in August, sales of the firm's backup appliances were up 35 per cent on the previous year.

Meanwhile, improvements in the storage capacities of these devices have paved the way for the company to widen its reach into the enterprise and mid-market sectors.

Earlier this year, the firm fired its CEO Steve Bennett on the back of a slowdown in sales, before making Michael Brown his successor.

If Symantec does decide to split in two, it will become the latest in a recent run of tech giants to do so.

Earlier this week, HP announced plans to split the company into two separate ones, covering PC & printing, and enterprise services.

Meanwhile, eBay also recently confirmed plans to split from online payment provider PayPal as part of a move to boost revenue.

Symantec's Backup Exec 2014 (BE2014) aims to remedy the shortcomings of its infamous predecessor. The new features list is tiny but the Backup Exec media server now supports Windows Server 2012 and 2012 R2 and the sorely missed job monitor gets reinstated.

Along with improved backup and deduplication speeds, Symantec's granular recovery technology (GRT) now supports Microsoft Exchange 2013 and SharePoint 2013. Upgrading from earlier versions of Backup Exec should now be easier as BE2014 will retain all your backup jobs and settings.

For testing, we loaded the BE2014 media server on a Broadberry server equipped with dual E5-2470 Xeons plus 16GB of RAM and running Windows Server 2012 R2. The install proceeded without any problems and took less than 30 minutes to complete.

Symantec has relented to pressure and reinstated the Backup Exec Job Monitor

Job Monitor returns

When we reviewed Backup Exec 2012 we warned users that the radically redesigned console presented a steep learning curve and that they should run it in a test environment first before upgrading. Nothing has changed with BE2014 although the obvious addition to the console is the Job Monitor tab.

With this feature back in its rightful place, we could now keep a much closer eye on our backup and restore tasks. Two panels show jobs and job history and we could apply filters to each panel to refine the information on display.

Agents are required on each server to be backed up and we pushed these out from the main console. For testing, we used Windows Server 2012 R2, Server 2008 with the Hyper-V role plus Windows 8.1 hosts and had no problems installing the agent on them. Users upgrading from previous versions will need to deploy the new BE2104 agents to their servers which will require a reboot.

You'll also need to configure your backup storage locations. We used local storage and an LTO-6 tape drive on the Backup Exec media server plus a Boston IP SAN server providing multiple disk targets over 10GbE.

The steps required to create a backup strategy have been streamlined to a few mouse clicks

It's all in the resources

With BE2012, Symantec moved over to a resource-centric model which is designed to reduce the number of processes required to create a complete backup strategy. This still holds true with BE2014 and job creation is easy.

From the Backup and Restore tab you select all the servers you want to protect and choose a strategy from the drop-down list which will be applied to them all. Choices will be based on the storage already defined and active licenses but you could easily create a backup to disk job with tape staging for all your servers with just a few clicks.

The new job defaults to starting with a full backup followed by scheduled daily incrementals. Jobs can be modified prior to release so you can edit the backup sources and destinations, change the schedules, replace incrementals with differentials and add further stages if you wish.

The console provides a detailed overview of all backup activity and status of storage devices

Deduplication and restoration

For deduplication, we created a special Disk Storage device with this feature enabled. The only drawback is this is an optional feature costing around 400 extra. Arcserve Backup is far better value as it includes deduplication in the core product at no extra charge.

To test deduplication performance we backed up a Windows 8.1 client to an IP SAN target with this enabled. On completion, we saw that the 90GB of data on the host has been reduced on the target to only 35GB.

Data restoration is more streamlined as when you select a server, BE2014 only presents you with the relevant options for this system. For our standard servers, we were given options to restore files and folders whereas on our Exchange system we had additional choices for restoring the datastore or individual mailbox items.

To use the new simplified disaster recovery (SDR) feature, you'll need to download the 3GB Microsoft Assessment and Deployment Kit (ADK) so you can create ISO files for restoring protected systems. In the first release of BE2014, the SDR environment is based on Windows PE 4 and doesn't support Windows Server 2012 R2 or Windows 8.1. If you don't want to run manual DR you'll need to apply the BE2014 Service Pack 1 which adds SDR support for these host systems.

Only the relevant options for the selected system are presented for data restoration

Overall

Considering BE2012 was launched over two years ago, it's a big ask to forgive Symantec for taking so long to sort out its flagship backup software. Migration from earlier versions has been improved but we still strongly recommend that users of Backup Exec versions prior to 2012 familiarise themselves thoroughly with it before upgrading.

Backup Exec 2014 remedies many of the outstanding issues of the previous version and existing users will no doubt be very pleased to see the Job Monitor again. It does simplify backup and recovery tasks but we recommend checking out arcserve Backup as it has benefited from a more robust development program and is better value.

Verdict

Backup Exec 2014 reinstates much missed features and sprinkles in new capabilities. If you’ve been struggling with BE2012 then upgrading should sort out most of your problems.

REQUIREMENTS Media server: Windows Server 2003 SP2 upwards

Anti-virus software is dead, according to the world's largest IT security company, Symantec.

The company lead the way for commercial anti-virus in the 1980s but is increasingly looking towards prevention, rather than cure. Fifty-five per cent of all malicious attacks pass straight through its antivirus software, it is claimed.

The source of the comments, Brian Dye, senior vice president of Symantec, told the Wall Street Journal: "We don't think of anti-virus as a moneymaker in any way."

Symantec has gone through two CEOs in as many years and is in the midst of a dip in share prices. Anti-virus still accounts for 40 per cent of the company's entire revenue stream.

Hackers and cybercriminals are using increasingly complex and novel ways of penetrating businesses' defences.

A report from research firm RedSocks has confirmed the slipping standards of anti-virus programs and the increasing aptitude of hackers. In January 2014, the overall malware detection rate for anti-virus software was 70 per cent, in February it dropped to 64 per cent.

The assumption made by security companies is that hackers will already be in a system and the key now is trying to detect them.

The industry has responded to this changing battlefield, trying to create new ways to prevent significant damage from occurring inside a network. FireEye, Juniper and other firms have taken up the challenge of protecting users once their first line of defence has been breached.

Despite the damming statement from Dye, Symantec has said it has no plans to abandon its flagship product: Norton anti-virus. The company will instead rely on a new range of security products to boost revenue.

Within the next six months Symantec plans to outsource intelligence briefings on the dangers of specific threats. The aim will be to teach companies not just how they are being hacked, but why as well.

"If customers are shifting from protect to detect and respond, the growth is going to come from detect and respond," Dye added.

A security researcher has found a piece of malware that appears to target the "internet of things".

Kaoru Hayashi, a security researcher at Symantec discovered the worm called Linux.Darlloz, which he claims is capable of attacking a range of small, internet-enabled devices in addition to traditional computers.

Hayashi said that no attacks against devices such as home routers, set-top boxes and security cameras have been found in the wild but warned that most users would not realise they were at risk as they would be unaware that their own devices ran on Linux.

The worm exploits a PHP vulnerability to propagate itself in the wild and uses an old PHP vulnerability that was patched in May last year, according to the researcher's blog posting. The attacker recently created the worm based on the proof of concept (PoC) code released in late Oct 2013.

On execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.

"Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures," said Hayashi.

He said that because Linux has been ported to various architectures other than Intel, there is a chance that the worm could spread to other small devices with different processors.

"The attacker is apparently trying to maximise the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet," he said.

Symantec has verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same malicious server.

The firm warned users to verify all devices connected to the network, update their software to the latest version and update their security software when it is made available on their devices.

Antivirus house Symantec has launched the latest versions of its Norton Mobile Security offering for Android smartphones, iPhones and iPads.

The Android iteration of the software focuses on privacy, which the company claims is a growing area of concern for consumers, with particular reference to rogue apps.

Using a new technology named Norton Mobile Insight, Norton Mobile Security scans users' phones to reveal which apps may be putting their personal information at risk.

The software will notify users if any app is found to be exporting information such as their contacts, photos or call logs.

This, the organisation claims, "empowers consumers to protect their personal information and make informed decisions about which apps to keep or remove".

Con Mallon, senior director of product management at Symantec, said: "The issue of privacy is a complex and evolving one, for both consumers and developers.

"Until now, mobile app privacy scanning has been done only at the most superficial level, which doesn't yield truly relevant and actionable information to consumers. With this latest release, we are [able] to deliver an unprecedented view into app privacy and information leakage. With this information, consumers can actually decide for themselves whether to keep each app."

For iOS device users, Norton Mobile Security features extended anti-theft capabilities, which includes a scream' alarm to help users find their missing phone or tablet quickly.

The software is available to purchase immediately and its recommended retail price is 29.99.

In addition, Symantec's Norton 360 Multi-Device and Norton One products will also be updated to include the features of the latest release of Norton Mobile Security.

Data breaches suffered by UK organisations could cost as much as 2 million per incident, a study of real world incidents has discovered.

The average cost per compromised record has increased to 86, up from 79 in 2011. Cost per compromised record was 47 in 2005, according to the Cost of Data Breach Study, carried out by the Ponemon Institute.

The average incident now costs firms 2.04 million each, increasing from 1.75 million last year. The study looked at 38 reported incidents. These ranged in size from 3,500 records breached to just over 70,000 records, with the average incident size being 23,000.

"While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious," said Larry Ponemon, chairman of the research firm. "Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22% since the first survey."

The study looked at the direct and indirect costs incurred by 277 companies in the US, UK, Germany, France, Australia, Italy, Japan and Brazil after the loss or theft of protected personal data.

The report, commissioned by IT security firm Symantec, found that while negligence is the main cause of data breach, 37 per cent of data breaches involved negligent employees or contractors, while malicious or criminal attacks have grew slightly from 31 to 34 per cent of data breaches, making this the most expensive type of breach at 102 per compromised record.

"With more than a third of UK data breaches involving negligent employees or contractors the human factor' is still the weakest link, and so training and awareness should be a priority from the offset," said Mike Smart, product and solutions manager at Symantec.

"But here in the UK it seems that malicious attacks are becoming nearly as big a problem. Not only have more data breaches been down to malicious attacks, but when it does happen, it is far more costly."

Businesses need to take greater action to prevent data leakage and theft by employees, according to research carried out by security firm Symantec.

Almost two-thirds (62 per cent) of employees believe it acceptable to transfer work documents to personal devices or cloud-based file sharing services, the survey of 3,000-plus people found.

Furthermore, the majority never delete the data they have moved, because they see no harm in keeping it.

Of those who had left or lost their jobs in the last 12 months, 50 per cent admitted to taking confidential corporate data with them, with 40 per cent saying they planned to use it in their new job.

Employees not only think it is acceptable to take and use IP when they leave a company, they also believe their employers do not care, according to Symantec's findings.

Just 47 per cent of respondents indicated their organisation takes action when employees break the rules surrounding the movement of sensitive information. Some 51 per cent said their company does not strictly enforce policies, so feel it more than OK to take corporate data.

Symantec's research also found that only 38 per cent of employees said their manager views data protection as a business priority, while 44 per cent thought ownership of IP rests with the person who created it.

Lawrence Bruhmuller, vice president of engineering and product management at Symantec, chastised businesses for their lax attitudes.

"Companies cannot focus their defences solely on external attackers and malicious insiders who plan to sell stolen IP for monetary gain. The everyday employee, who takes confidential corporate data without a second thought because he does not understand it is wrong, can be just as damaging to an organisation," he said.

Dave Brutt, founder of Mobility Legal, urged companies to take action before it is too late.

"When it comes to trade secret theft ... an ounce of prevention is usually worth 10 pounds of cure," he said.

"Before employees exit, dust off agreements they likely have not looked at in years, figure out all of the places the employee has stored sensitive company information and get it back, and ensure that employees understand their continuing obligations not to use or disclose company trade secrets," Brutt added.

Antivirus giant Symantec is said to be preparing to cut around 1,000 jobs as part of a wider restructure of its business.

During a conference call with analysts to discuss the firm's third quarter financial results, it was revealed that Symantec is planning to axe an unspecified number of middle management and senior exec jobs.

Meanwhile, in a report on Bloomberg this afternoon, sources claimed at least 1,000 jobs at the firm could go as part of a push to help the firm react faster to changing customer needs.

As well as job losses, the firm also announced plans to restructure its business under the Symantec 4.0' banner.

Steve Bennett, president and CEO of Symantec (pictured), said the change in strategy needed to be rolled out quickly to ensure the firm stays ahead of the competition.

"The world is changing quickly. We have tough competitors. So this won't be an evolution. We cannot get there through incremental steps to try and move to where we need to be," he said.

"So no evolution, Symantec 4.0 is all about revolution," Bennett added.

As part of this restructure, the firm is ditching its Storage and Availability Management Group (SAMG) business unit, and focus its sales efforts on acquiring new business, rather than rely on renewals.

"This is a big and exciting change for our company. We know this will be part of the transition. But the goal is to leverage all of our products, services, [and] technology to solve higher-order customer problems and drive faster, organic growth," Bennett added.

Despite talk of job cuts and company restructures, the firm's Q3 results saw Symantec clock up a four per cent rise in revenues to $1.79bn.

James Beer, chief financial officer of Symantec, said: "That's, in fact, the highest percentage growth rate we've seen organically in over four years now."

Furthermore, Symantec said the change in strategy should ensure this growth continues, and that it is committed to delivering at least five per cent organic revenue growth over the next three years.

Up to 1.5 million Android users may have suffered a serious data breach after downloading malicious apps, according to Symantec.

The security giant identified three apps, all posing as pornographic wallpapers, that were available through Google Play for more than 30 days, despite pornography being banned from the store.

Once downloaded, the app steals the user's Googlemail address, GPS co-ordinates, handset IMEI number and network operator information.

This data is then transmitted by the app back to a remote command-and-control server.

Analysis run by Symantec showed all three apps were from the same developer and are all identified by the company as Android.Coolpaperleak.

The organisation also discovered the apps were not a modified version of a safe app, but were malicious from the beginning.

"The erotic and porn industries are the most browsed on the internet," said Lionel Payet, a Symantec threat intelligence officer.

"If you just combine the most downloaded type of apps (wallpapers) with the erotic and porn industries, you will have in your hands the perfect chemistry for a top download application in no time."

This new threat comes on the back of research by fellow security player Kaspersky Lab, which showed 99 per cent of mobile malware was targeted towards the Android operating system.

Two of the most prevalent malwares detected, Opfake and Fakeinst, were so-called premium SMS diallers, which send SMS messages from a user's phone to a premium rate service without their knowledge.

Similar SMS scam apps pretending to be official London 2012 gaming apps were also found to be targeting Android users in the summer.

Kaspersky claimed the reason Android devices were popular targets was not because of how widely used the operating system is.

"The core security issue...can be traced back to the lax security of the Google Play marketplace, especially in comparison to the Apple iOS App Store," the company said.

"Surely more of the same is in store for 2013," it added.

Security and anti-malware company Symantec has identified a new worm that is attacking business IT systems and destroying their databases.

The threat, dubbed W32.Narilam, is predominantly active in the Middle East, according to the company's field tests. However, it has also been detected in the USA and UK.

Narilam is not the first malware to target businesses. Stuxnet, which was first discovered in 2010, targeted Siemens industrial software and equipment, while Flame, which was discovered in May 2012, is a spyware programme. Like Narilam, Stuxnet and Flame were originally centred in the Middle East, specifically Iran, and spread from there.

However, Narilam differs from other malware in that it only targets SQL databases, damaging the information they contain.

"Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations," Symantec said in a blog post.

"Our in-field telemetry indicates that the vast majority of users impacted by this threat are corporate users. This fact is consistent with the functionality contained within the threat. The types of databases that this threat is looking for is unlikely to be found in the systems of home users," the organisation added.

As the worm damages the databases by entering random values into the SQL code, Symantec is warning that unless appropriate backups are in place, those affected will be very difficult to restore and the disruption caused could even cause companies to suffer financial losses.

"Symantec users with the latest definitions are protected from W32.Narilam; however, we strongly recommend that important databases be backed up regularly," the company concluded.

Criminals are making 3 million a year from holding people's computers to ransom, according to a new study.

Research from IT security company Symantec revealed that 2.8 per cent of victims pay up to 280 to unlock computers infected with malware that locks screens and prevents them from accessing their PCs.

Cybercriminals often use social engineering tricks, such as displaying fake messages purporting to be from local police authorities, to convince victims to pay up. Such messages often include warnings such as, "you have browsed illicit materials and must pay a fine."

The research found that one gang was observed attempting to infect 495,000 computers over the course of just 18 days. The first instances of this type of cyber-attack were observed in 2009, and - until recently - it was largely limited to Russia and Eastern Europe.

"It has increasingly become a popular ploy among numerous international online criminal gangs, spreading the threat to Western Europe, the United States and Canada over the past year," said the company.

Symantec said ransomware will surpass fake anti-virus software as the leading cybercrime strategy in the coming year. It said there are other signs that ransomware is becoming increasingly professional.

Several different ransomware families, sold to what appear to be separate gangs, have all been tracked back to a single individual.

"That individual, who we have been unable to identify, is seemingly working full-time on programming ransomware on request" said the company.

"This dedicated development of multiple different versions of the same type of malware is reminiscent of how fake antivirus was developed."

The company also predicted that as users shift to mobile and cloud so will attackers to exploit Secure Sockets Layer (SSL) Certificates used by mobile devices and applications.

Earlier this week IT Pro reported that security researchers have identified a new malware strand that steals image files from computers and sends them to a remote server.

Security vendor Symantec has warned SMBs about being used by hackers as a route into larger firms they may do business with.

To protect end users from this, the firm recently launched Symantec Endpoint Protection Small Business Edition 2013.

"One of the things that I have seen is that the threat landscape has changed," said Jay Epton, director of SMB and distribution sales of Symantec at an event in London yesterday.

"Not only are we seeing more attacks, but we actually see the type of attacks changing all the time."

Epton said that, in this day in age, it is the younger population that are creating and spreading viruses to bring down businesses.

He also warned that SMBS are increasingly being used as a small stepping stone to get to larger enterprises, and finding themselves at the mercy of malware authors.

"Think about a smaller financial institution that might work with Barclays, think about a small engineering firm that might work with Honda," said Epton.

"They may use that as a stepping stone to get into these larger organisations."

Symantec Endpoint Protection Small Business Edition 2013 provides SMBs with protection from malware, viruses and is also designed for use with soon-to-be launched Windows 8.

Symantec security researchers have discovered a spamming tactic designed to fool users into clicking on links disguised as common file extensions.

The firm said the spam first appeared around two weeks ago and is linked to online pharmacy websites.

According to Anand Muralidharan, a researcher at Symantec, the emails contain the usual spam content - such as references to news events, images and video files - but the links seem to end with common file extensions.

These extensions include .pdf, .mp3 and .doc as well as .asp and .mpeg. However, instead of opening up files associated with them, they point users to pharmacy sites.

He said the source domain was registered in Russia and its servers were located in Hong Kong and the Ukraine.

In order to populate these types of attacks, also known as RSS news-feed spam, attackers use news feeds in the spam email.

Spammers have also used the recent death of legendary astronaut Neil Armstrong in this spam sample, Muralidharan added.

"The intention of using these particular file extensions could be to evade content filters, which typically look for other types of file extensions," he said in a blog post.

"Another reason could be to fool users who would expect the links to open the relevant file type."

He advised users to keep their security software up-to-date, in order to evade these types of online scams.

Scammers have also been sending out emails claiming to be from Symantec and other security companies, warning users their email account may be blocked because it has been sending out "infected" emails.

The link in the message points to a file that is named removaltool.exe, but contains a Trojan that downloads other malware to infect target machines.

The new attack was first spotted by security vendor Websense.

Forty per cent of UK consumers regularly ignore notifications about software updates, while a quarter claim they do not see the benefit in upgrading their systems.

The results were announced as part of International Technology Upgrade Week, which was set up to highlight the importance of regularly updating devices.

The event counts Skype, Symantec and TomTom as sponsors.

More than 350,000 people from the UK were invited to take part in the survey, which was carried out on behalf of the event's organisers by YouGov.

Half of the UK participants said they needed to see an upgrade prompt between two and five times before acting on it, while a quarter claimed they did not know how to check for updates.

The top reasons given by respondents for updating their software include keeping computers safe from hackers and preventing system crashes.

Meanwhile, consumers said they often put off software upgrades because of security fears,and the amount of time they take to do.

Steve Watts, sales director of two-factor authentication vendor SecurEnvoy, said the survey highlights the need to educate users about how their devices actually work.

"As we move to mass market PC ownership, it becomes clear that the traditional and security aware users of a computer are going to give way to someone that does not understand how their PC actually functions [or] how to update it," said Watts.

"We, as an industry, have to develop easy-to-use [systems] that [are as] foolproof as possible," he added.

Security giant Symantec has confirmed the departure of its president and chief executive, Enrique Salem, after posting a "solid" set of first quarter financial results.

Salem's role at the firm has been filled by Steve Bennett, who became the chairman of the Symantec board in 2011.

In a statement, Bennett said Salem had made a significant contribution to Symantec in his three years as CEO, but the board of directors felt a change at the top was necessary.

"My view is that Symantec's assets are strong and yet the company is underperforming against the opportunity," said Bennett.

Dan Schulman, Symantec's newly-appointed lead director, added: "The board's decision to make a leadership change was not based on any particular event or impropriety, but was made after ongoing consideration and a deliberative process."

News of the senior management changes comes on the same day Symantec posted its first quarter financial results.

The firm banked a GAAP revenue of $1.6 billion during the three months to June, which was 1 per cent higher than the same quarter last year.

The firm's GAAP net income fell from $191 million in Q1 2012 to $172 million this year. "Variation in year-over-year GAAP results were...due to increases in restructuring costs and IT infrastructure investments," explained the company in a statement.

Bennett said the firm had delivered "another solid quarter" based on the success of its investments in cloud and mobility technologies.

"We are making progress on many fronts, but believe we can further accelerate the company's value to employees," Bennett added.

A bug in an update of Symantec's anti-virus software has caused some Windows PCs to crash, making machines inoperable until they were serviced in an embarrassing episode that angered some customers.

The company disclosed the problem on its website, saying that an update to its widely used Symantec Endpoint Protection 12.1 and Norton anti-virus software for businesses caused some PCs running Microsoft Windows XP software to crash repeatedly, showing what is known as the "blue screen of death."

The embarrassment comes at a challenging time for Symantec, whose shares have lost about a quarter of their value since it warned of a pending profit decline three months ago.

"Enterprise security has continued to be an uphill battle for Symantec," said Daniel Ives, an analyst with FBR Capital Markets. "There is increasing competition. The company historically has not been consistent around executing."

The company knows so far of about 300 corporate customers that have been affected, and about 60 consumer customers.

Customers reported it took Symantec hours to identify and fix the bug and that they needed to fix computers broken by the tainted update on their own.

Symantec blamed the glitch on software compatibility issues that arose after an update was released late on Wednesday. PCs could be fixed if customers manually removed the software from each disabled computer, it said in an advisory.

"Phoning Symantec support this morning was the start of the hell we went through," one customer said in a support forum on Symantec's website.

"The support is a joke, the quality control is a joke, and the software is not much better."

Customers complained on a Symantec user forum that the removal process was time consuming, although one said the software maker had offered compensation for the inconvenience.

That customer said on the support site that he emailed technical support to ask: "How is Symantec going to compensate customers for the hours of lost worker production and the time and effort taken by IT staffs to rectify this huge error by Symantec?"

He said a company representative called him 20 minutes later to say they were working on a compensation package.

"I encourage everyone to ask to be compensated for the time and effort it took all of us (to) fix Symantec's software," the customer said on the support site. (bit.ly/LiH764)

Symantec spokeswoman Ellen Hayes did not respond when asked if any compensation that might be in the works.

A technology manager with Dutch company PSO Beheer BV told Reuters the bug caused some 150 PCs to fail. His company had to close a laboratory with equipment running on Windows XP machines and also sent some workers home so they could access their network remotely.

"It did have quite an impact on our business," said manager Ron van den Broek. "My first impression is Symantec is downplaying the effects of this issue."

A Maryland-based insurance company temporarily shut down anti-virus software for all its 150 PCs to prevent them from getting damaged, leaving them without protection, the company's technology manager told Reuters.

The Flame virus, which has been waging war on computers across the Middle East, has been ordered to self destruct, it has been claimed.

The malware was uncovered by Russian anti-virus vendor Kaspersky last month, who described it as one of the most complex pieces of malicious software ever to be released.

It tries to leave no traces of the infection behind.

Kaspersky claim the malware is capable of stealing data from targeted systems, stored files, contact data and audio conversations.

The malware operates by stealing data from infected machines, which is then passed onto a network of command-and-control servers located across the world.

However, rival anti-virus vendor Symantec claims these servers recently out an "updated command" to the computers that have already been compromised by Flame, ordering them to delete the malware.

In a blog post, announcing the discovery, Symantec said the command would have prompted the servers to ship a file called browse32.ocx, which is effectively a Flame uninstaller.

"It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection," said the blog post.

"It tries to leave no traces of the infection behind."

Symantec claim the file was created around three weeks before the news of Flame's existence first broke and was still being sent out to compromised machines last week.

"The existence of this module is interesting in itself. Previously analyzed [Flame] code showed us a component named SUICIDE, which is functionally similar to browse32.ocx," added Symantec.

"It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flame perform explicit actions based on a new module."

Security giant Symantec has spotted a spam campaign designed to get malware on anti-Putin campaigner PCs.

Vladimir Putin was re-elected as president of Russia last week, but there have been protests against his rule both pre and post-election.

Now, spam messages have been sent out purporting to contain instructions for rallies against Putin.

The emails included an attachment detected by Symantec as Trojan.Dropper, but those who see the document are presented with details of an apparent anti-Putin meeting that even features a map.

From a spam perspective, this attack is quite unusual mainly because of its size.

However, malicious macros, if enabled, will be running in the background and "a particularly nasty Trojan" is activated, the security giant found.

Various files are then deleted from the user's machine, including .doc, .exe, .xls and .zip files.

"The Trojan also attempts to connect to IP address 193.104.153.31 (down at the time of analysis), which contains links to the notorious Trojan.Smoaler threat," said Symantec's Stephen Doherty, in a blog post.

"Smoaler recently used the surero48421.ru domain as part of its command-and-control server and this website formerly resolved to the above IP address.

"Once it has destroyed all of the above files by overwriting them, it then runs code to cause the computer to crash (blue screen) through a call to the RtlSetProcessIsCritical API."

Symantec also noted how unusual the spam attack was, pointing to the size of the emails.

"From a spam perspective, this attack is quite unusual mainly because of its size (average of more than 500 KB). Most spam messages do not exceed 10 KB," Doherty added.

"For example, in the latest Symantec Intelligence report, 56 per cent of all February spam messages were less than 5 KB with 30 per cent between 5 - 10 KB and only 13 per cent greater than 10 KB."

Security firms haven't had an easy year. As RSA chairman Art Coviello said earlier this week at RSA 2012, vendors have been "going through hell."

Suppliers, certificate authorities and other tech companies have been battered by hackers. Symantec, the world's biggest security firm, has not escaped the attention of cyber criminals.

pcAnywhere customers know that more than anyone. They were told to disable their remote access software after hackers started taunting Symantec about the pcAnywhere source code they had acquired in 2006.

We caught up with Symantec's chief information security officer Patricia Titus, who only started four months ago, to talk about the situation and the aftermath.

Earlier this week, Art Coviello said the security industry had a horrible year. Have you seen any spikes in attacks on yourself?

Yes. It has been so targeted. I was talking to the CISO of Sony today and we were saying it goes in waves. You get that bullseye painted on you and then it is constantly hitting the front door and looking for any little area to exploit.

Did you have any spike in activity after the pcAnywhere revelations?

Yeah we did. We saw for about a two to three week period afterward there was a spike.

What happens is the media brings it up and everybody in town, all the little script kiddies and everybody who has nothing to do with their time says hey, let's go and get Symantec.' So the probes start and you're getting constant port scanning.

Coviello has also talked about de-investing in old, traditional technologies. Do you think it is dangerous that people might take this as a hint to ditch firewalls?

It's all still part of that defence in depth strategy. It's not a sexy term anymore, it used to be a great term, defence in depth.

You know what is critical to your organisation and if you don't you probably aren't in the right job.

But the bottom line is we still need those perimeters around the right data types. The problem has been people seeing the network as flat, the data all the same and you can't keep up with the investment.

There is a methodical approach to categorising your data and applying the security controls commensurate with the data level. So instead of treating all your data like it is mission critical, and having firewalls and IDS sensors and PKI and cameras and guns and badges - the whole nine yards - you can start to say this is low assurance data.

I would argue that you know what is critical to your organisation and if you don't you probably aren't in the right job. What's important to Symantec? What's the keys to our kingdom? Intellectual property.

If I were to target one system I would look at my IP depositories. I am looking at our IP. In fact, we're going back and looking at all previous events that took place.

Has that been inspired by the pcAnywhere source code leak?

It would have been inspired anyway just based on the categorisation exercise that we're going to go through in the company.

We've already started to look at our applications because we've merged with a lot of companies. We've acquired a lot of applications, a lot of databases, structured and unstructured data. We need to figure out who owns it.

Now we have to go around and figure out who owns this data, how do you value it and how does the company value it. For instance, my database system that tells me how many chairs I have, if I'm the facilities person that is really important to me. Now you have to look at it and ask, is it really important for Symantec to know how many chairs we have? Unlikely, because developers will sit on the floor if they don't have a chair.

We were accused of changing our story. Well you change your story as information becomes available.

It is an exercise. Identify your systems, identify what is accessing them, identify your data, where it is and who owns it, categorise your data. Then you have to look at the control documents and ask what controls do I need to apply.

Symantec, like most other commercial companies, relies heavily on ISO (a security standard offering best practice recommendations) certifications. I don't think ISO is strong enough or deep enough in the technology side, or prescriptive enough, to clearly define what an individual needs to do. I believe that ISO is a good programmatic tool to use and it's gotten better, but it still doesn't get to the bit and byte level that I really feel is critical for us to protect our data.

Folowing the pcAnywhere, and what happened to RSA with their breach last year as well as Sony's nightmare year, have you learned anything about disclosure?

When you've had a situation, when do you put the public eye on it? The situation changes as information becomes available. So when this first thing came out, it was something completely different than what ended up happening.

Thinking back to 2006, we had completely different forensics capabilties. So what was first released was the hacker saying they had something but weren't going to say what it was. Then they said they were going to tell Symantec what it is and they had some bogus document that looks like it came from some Government and stole it from somewhere. After a couple of days, we were able to say that was a bogus document and you're just full of crap, you just bought it from somebody.

We were accused of changing our story. Well you change your story as information becomes available, so as we got better visibility into it we were actually able to tie it back to the situation that took place. We were trying to be as transparent as we could.

With eveything that has happened in the past year, including disclosures from RSA, yourself and VeriSign, as well as the undermining of the certificate authority system, should companies ensure they're being as transparent as possible about breaches?

I'll use an anecdote. Let's say a Government entity has a sensitive piece of information and it's classified and it gets put into an email and inadvertently sent out to a bunch of people who don't need to know, don't have the right clearance level. So now you've contaminated and polluted your email system.

The next thing you know people have forwaded this information outside your .gov domain into the public domain. Say public disclosure of that information could lead to loss of life - as an entity you have to look at it and if you look at it realistically, do I tell everybody about it? Do I say publicly how this happened, so get ready to die? Or do you say in this situation, I'm going to make a risk based decision?

You have to look at things and make risk-based decisions. In dome instances our products protect national security and so there is a business deicison and a risk-based decision that have to be made with your customers in some instances to say how far we want to go with something.

Security on a chip, the technology being delivered by Intel and McAfee, has not produced the goods so far, according to a Symantec executive.

There are questions over whether Intel's $8 billion bet was worth it, considering the technology had not proven itself to be better than protections already on the market, Symantec's group president for enterprise products and services Francis deSouza told IT Pro.

McAfee released the industry's first sub-OS security product in October 2011, built on the DeepSAFE concept, promising Deep Defender would bring the finest rootkit eradicating technology to businesses.

We've tried a bunch of things over the years but the thing is you are bringing together industries at opposite ends of the spectrum.

It came after Intel shook the security world in August 2010 by announcing its intention to acquire McAfee.

But Symantec has not yet seen how security on a chip is better than other services. deSouza pointed to a demo of how DeepSAFE technology caught a rootkit.

"Except then we also showed that you didn't really need DeepSAFE to catch it," he added.

deSouza said the two industries of chip making and security were very different, indicating working together has not been as productive as some had hoped.

"Since 1998 we've been working with Intel on how we can best move security forward. We've tried a bunch of things over the years but the thing is you are bringing together industries at opposite ends of the spectrum," he added.

"Intel's business is all about making things run as fast as possible but to do that you freeze it in the silicon and then it stays there for a decade, nothing changes.

"In security we do updates every few minutes and you could not imagine two more different worlds. It's been 14 years of our guys and their guys brainstorming."

Is security on a chip technology a dead duck then? "So far, yeah. We're still waiting to [see something]," deSouza added.

McAfee reaction

Raj Samani, CTO at McAfee, told IT Pro such early judgments should not carry weight.

"How can you make a judgment on something that is only a matter of months old?" Samani said.

"This is something that will fundamentally change the way we think about security."

As for whether there was great customer interest, Samani could not provide any data but said the excitement after the DeepSAFE announcement was proof this was a technology many cared about.

There has been little to no talk about the security on a chip concept at RSA 2012 this week, however, with most focus going on cloud and identity management.

UPDATED McAfee, after reading this article, wished to offer further comment on Symantec's thoughts about security on a chip.

Rees Johnson, vice president of McAfee Labs, said the October announcement was a beta version and the Deep Defender product will be widely available "very soon." "Those looking at the early version may not have had a full understanding of its complete capabilities, therefore any opinions are premature," Johnson said. "While other vendors claim to catch rootkits they do so after the fact. McAfee Deep Defender catches rootkits zero day. "When McAfee announced the product plans last October customers (including BT, London Security and Digital Era) were extremely excited at the potential capabilities.

"Now that we are closer to release we have spoken with numerous customers during the RSA Conference who all see the value in this early rootkit detection solution and bringing hardware and security closer together." Johnson added that Intel and McAfee are working on other sub-OS level protections.

"We have been shipping McAfee ePO Deep Command for almost six months this solution goes beyond the OS for complete endpoint management," he sadi.

"McAfee also has plans to release more solutions in the area of hardware assisted security as we see this as the new direction for the security industry."

Symantec has made a portion of its O3 product announced last October generally available, yet two-thirds of the overall package is not ready yet.

The O3 offering, which looks to deal with identity management and data loss protection (DLP) in the cloud, consists of three separate parts.

The first is the authentication level, which is ready now, allowing customers to push their in-house identity management policies out to the cloud. It does so by pushing these policies out from Symantec datacentres to end user devices, much in the same way Silicon Valley start-up Zscaler does.

The second part of O3 is the information security layer, which uses Symantec's existing DLP and PGP encryption solutions to protect the data itself.

If you have loads of devices and datacentres, you need access control. That is something Zscaler doesn't have.

Then there is the auditing aspect to O3, which alerts companies to security events so they can move to shore up holes in their cloud infrastrucure.

Those two latter parts are currently unavailable. Symantec spokespeople told IT Pro they would be ready at some point this year, but could not confirm anything more specific.

Once all of 03 is ready, it will be competing with RSA and Zscaler's unnamed cloud identity management product, which mixes the latter's web gateway offering with the former's authentication technology.

However, Symantec's group president for enterprise products and services Francis deSouza told IT Pro at the RSA 2012 conference today that Zscaler's technology lacked things the world's number one security provider could offer, most notably encryption.

"If you have loads of devices and datacentres, you need access control. That is something Zscaler doesn't have," deSouza said.

"You need information protection, so it's not only just a single sign-on and access control but it's DLP and encryption. [Zscaler] does not do any DLP.

"But I think RSA has realised that you can't rely on being on every device, because in the future you won't be. And you can't rely on controlling the server and the perimeter... That's the right direction."

Salesforce.com tie-up

Symantec has also chosen to deeply integrate 03 with Salesforce.com, creating an application on the Force.com platform.

The application will let customers use their Salesforce.com identities as their key into cloud services with a single sign-on.

Just as the general O3 product will do, it will also hand IT departments tighter controls over how and what cloud products are used via Salesforce.com. Two-factor authentication can be built into the app as well.

The O3 Salesforce.com software will be available from mid-2012.

Salesforce.com CEO Marc Benioff was on hand during this morning's keynotes to talk about the need for better cloud security.

"When you're a cloud provider, trust is our number one value. A critical part of that trust is the security infrastructure," Benioff said.

"There is no finish line when it comes to security... Because there is no finish line, trust is ultimately the most important thing."

IBM has issued the first major update of the security information and event management (SIEM) software it bought in its Q1 Labs acquisition, claiming it is blowing the competition out of the water with the amount of data feeds it has collated.

Big Blue said the QRadar Security Intelligence Platform, built mainly of Q1 Labs sauce rather than IBM's own code, draws together 400 sources on threats giving IT pros a wider knowledge of dangers facing their networks.

IBM has hooked up its own X-Force threat feed to the SIEM offering, which monitors 13 billion security events per day.

A host of other Big Blue offerings have been integrated into QRadar, including IBM Security Identity Manager and IBM Security Access Manager to mitigate the insider threat.

There are no vendors that can cover that breadth and that's really the value we bring.

Future integration modules are also being released for non-IBM products, including Symantec DLP, Websense Triton, Stonesoft, Stonegate and others.

"Essentially we support Symantec and McAfee and can extend to others. We don't support HP Arcsight," IBM told IT Pro.

Martin Borrett, director of the Institute of Advanced Security at IBM, said there had been a "wealth of excitement" around what Big Blue could do with Q1 Labs technology.

"We've been trying to figure out how IBM can take it to the next level, integrating our research and existing product line," Borrett told IT Pro.

"At this stage, apart from driving more scalability into the platform itself with new appliances, it's really about those flows in and out. We had all the insight from the X-Force but it just wasn't plugged into the platform in the way that it will be now. It's really about that crucial integration."

The release also marks another major moment for IBM in establishing itself as a major security services player.

However, it faces strong competition in the SIEM space, with Symantec already offering a well-respected product, HP running its Arcsight-based offerings and McAfee set to boost its presence in the market after acquiring Nitro Security.

Borrett said IBM had "significant differentiation" in the market, thanks to the large number of sources QRadar can access and the insight it can get from the data.

"There are no vendors that can cover that breadth and that's really the value we bring," he claimed.

"The depth of the analytics we can get out of the Q1 platform I think is significantly stronger and better than our competition. Because of the context we can do it in... and the real-time capability [QRadar] is significantly better than the competition."

As for the SIEM market in general, with major players coming in and swamping the market, Borrett claimed there was still room for smaller players to partner with bigger vendors to supply more insight for bigger offerings.

"The important thing is that those capabilities integrate into these other platforms and into our platforms in particular," he added.

Symantec has taken legal action against rivals Acronis and Veeam, claiming both companies infringe on its patents.

In a complaint filed in the US District Court for the Northern District of California, Symantec said Veeam had infringed on four separate patents. The company did not publish its Acronis complaint.

"Acronis and Veeam unlawfully leverage Symantec patented technologies in their respective backup and replication products," Symantec said in a blog post.

We are aware of the complaint, and plan to defend it vigorously.

"This free riding on Symantec is wrong and Symantec has filed these lawsuits to protect its intellectual property."

One patent in the Veeam case relates to methods that "permit the back-up of a virtual machine to a destination separate from the storage device used by the virtual machine."

Another relates to the restoration of a client machine, either virtual or physical, on a network.

The remaining two focus on period replication technology and a method for using a snapshot rather than a full volume copy for backing-up files.

Symantec's chief backup solution is Backup Exec, which it acquired when it merged with Veritas in 2005.

In its complaint, Symantec claimed it was harmed by Veeam's use of its technologies so much so that it could not be compensated in monetary damages alone. This may indicate Symantec would like to see Veeam's products, including its Backup & Replication lines, banned.

Veeam said it did not wish to comment on the matter as the litigation was ongoing.

Acronis, however, said it was willing to fight Symantec in court.

"We are aware of the complaint, and plan to defend it vigorously," an Acronis spokesperson told IT Pro.

"This type of litigation happens all of the time between competitors in the software business and has no effect today on our existing customers or our ability to sell software to new customers."

Hackers using the Anonymous name have continued their baiting of security giant Symantec, releasing what they claim to be source code for pcAnywhere.

The release on Pirate Bay came after law enforcement set up a sting operation in which the hackers demanded $50,000 in return for keeping the source code offline, Symantec said.

The hackers, meanwhile, said they had not made any ransom requests.

"Symantec has been lying to its customers. We exposed this point thus spreading the world that ppl need," the message accompanying the Pirate Bay release read.

Symantec has sought to distance itself from claims that it led the sting operation.

"Anonymous actually reached out to us, first, saying that if we provided them with money, they would not post any more source code," the company said.

"At that point, given that it was a clear cut case of extortion, we contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents - not Symantec."

However, the hacker claiming to be behind the Lords of Dharmaraja, supposedly an Anonymous off shoot, said Symantec had approached them rather than the other way around.

"You won't believe it but Symantec offered us money to keep quiet," a tweet from @YamaTough read.

The same user has indicated they plan to release information relating to Norton Antivirus. "NAV release coming in 7 hours," another tweet read.

The hacker has posted what they claim to be bits of code for Norton Utilities and other programs online over the past few weeks.

For IT guys

The security giant has stuck with the advice it gave customers last week, asking them to update the remote access software so vulnerabilities exposed by the source code leak were patched.

Initially, Symantec had advised customers to turn pcAnywhere off entirely.

"Symantec recommends that customers ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow general security best practices," the security firm said.

"If customers are unable to adhere to this guidance and have not installed the latest version with current patches, we recommend that they contact pcanywhere@symantec.com for additional assistance."

Symantec released a patch on 23 January eliminating known vulnerabilities affecting customers using pcAnywhere 12.5. On 27 January, Symantec released a patch doing the same for customers using pcAnywhere 12.0 and pcAnywhere 12.1.

The source code leak stems back to a successful hack on Symantec's network. At the time, Symantec was unsure about exactly what was taken.

Symantec today unveiled its latest backup solutions, with claims of higher speeds, lower costs and less complexity.

The company updated both its traditional software product - Backup Exec 2010 - and its cloud offering - Netbackup 7.5 - aiming to deal with the extra stress storage products are put under thanks to the data explosion of recent years.

"Customers' backup is not meeting their needs," Martin Warren, product marketing manager at Symantec, told IT Pro. "With tighter SLAs, higher data volumes and more complexity, users are managing two environments - virtual and physical - and backup is becoming less effective.

Customers' backup is not meeting their needs.

"With our updates, we address those issues."

Warren claimed Backup Exec 2012 backed-up data 100 times faster than its competitors due to more structured and efficient data storage, as well as incoporating deduplication at the software's core. The savings, he claimed, were "massive."

Symantec claimed by merging the physical and virtual backup into one product, as well as the deduplitcation and the ability to use the firm's cloud or in-house backup through one source, prices for a business can be reduced by 80 per cent.

"With SMBs, where resources and skills are limited, they need to get on with their businesses, rather than managing complex in-house IT," said Sharon White, another product marketing manager at Symantec.

"We offer them the [simpler] option, all in one."

Another feature in both backup programs is 'V-Ray' technology, acting like an x-ray to show complete visibility of the software under the hood.

Time to deploy has also sped up, with machines backing up within 20 minutes, and a simpler user interface has been introduced to focus on workflows and resources.

Backup Exec 2012 and NetBackup 7.5 are available today.

It's difficult to know who or what to trust these days.

Head over to the VeriSign website and you will be met by the bold claim that the Secure Sockets Layer (SSL) and code signing certificate services business which specialises in online identity and authentication will "build trust every step of the way" so as to ensure that you can "Trust your link. Trust your site. Trust your transaction."

But just how waterproof are those claims from the company which was acquired by Symantec back in August 2010, especially following the news that VeriSign had been hacked "successfully and repeatedly" that year.

Researchers are already seeing a rise in attacks which target the worldwide infrastructure that supports SSL.

The finding came thanks to the US law that requires companies to report breaches. A Reuters review of a couple of thousand documents contained in a filing by the US Securities and Exchange Commission (SEC) late last year showed VeriSign was hacked repeatedly during 2010 but the senior management team were not informed of the attacks until September 2011.

In that SEC filing, VeriSign admitted it "faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers." Although VeriSign remained quiet at the time of the filing, and still remains silent to this day as to exactly what information was accessed and what parts of its network was successfully breached, perhaps the most worrying section of the filing is the admission that "given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information."

VeriSign has gone on to make an official statement which insists that after a "thorough analysis of the attacks... we do not believe that the operational integrity of the Domain Name System (DNS) was compromised" and "we have a number of security mechanisms deployed in our network to ensure the integrity of the zone files we publish." This was good to know as nobody wants the DNS to be compromised, but it still didn't reveal what was compromised, only leading to much speculation regarding the integrity of its SSL certificates.

This should come as no surprise to anyone with an interest in matters of transactional security, as the whole 'is SSL dead?' debate has been raging for quite some time. Indeed, I myself covered this very subject over at our sister publication PC Pro back in May last year when I asked whether online shopping security was fundamentally broken.

Back then I was asking if the certificate-based trust model used for just about every financial transaction was secure enough in the light of certificate-related breaches such as Stuxnet which included device drivers signed using compromised certificates to give an impression of validity.

Then there was the hacker who compromised a Comodo reseller and generated a whole bunch of fake SSL certificates as a result. It was more than a week after the breach was discovered that all the major browsers had updated their certificate information to ensure users were not at risk from sites bearing the fake ones. And who recalls the DigiNotar fuss last year with fake certificates issued in order to impersonate Gmail amongst other services?

Going back even further, in 2008 I reported here at IT Pro about two years of compromised Linux security based around a vulnerability in the Debian OpenSSL cryptographic libraries and in 2009 I was already asking the 'is SSL secure?' question following a demonstration at Black Hat Las Vegas of man-in-the-middle attacks exploiting flaws in SSL to intercept traffic using a null-termination certificate.

This is something Rob Rachwald, director of security strategy at Imperva, picked up on when he noted "a growing number of web applications are delivered over the HTTPS protocol (HTTP over SSL) with attackers increasingly focusing their attacks against the various components of SSL." Rachwald claimed his researchers are already seeing a rise in attacks which target the worldwide infrastructure that supports SSL.

Meanwhile, Catalin Cosoi, global research director at security vendor BitDefender, thinks enterprise trust may already be shattered by the VeriSign breach.

The potential for some nasty security surprises is going to linger for a while.

"A valid digital signature is a crucial requirement of 64-bit operating systems whenever a critical piece of software tries to install itself. VeriSign is one of the most important enterprise trust authorities in the world, which delivers people safely to more than half the world's websites," Cosoi said.

"A certificate issued by VeriSign will automatically be accepted by both browsers and operating systems. This kind of incident practically voids all the security provided by 64-bit operating systems."

Cosoi concluded his statement on the breach disclosure with a worst case scenario, painting a picture of "several phishing attacks with valid certificates that browsers will render as legit" and which would "potentially yield a huge level of data that could be exploited for financial gain."

But there is one small detail that just about everyone seems to be missing here: there is absolutely no evidence to suggest that the SSL certification network was compromised at all. In fact, it would appear more likely to have escaped intact.

First of all the SSL certificate and code signing side of the VeriSign business was acquired by Symantec in 2010, at a time when Paul Meijer was director of infrastructure operations. Meijer continues that same role now for Symantec Authentication Services (which includes SSL and PKI amongst others) and is insistent that the authentication networks were not compromised by the breach.

Meijer said in a blog post that "at the time the breach occurred, VeriSign was running a separate production network to host the Authentication Services 'Cloud' of SSL, PKI, VIP, and FDS."

"When the Authentication Services business moved over to Symantec, we continued to employ the practice of this separate production network. This segregation prevents breaches on the corporate network from infecting the production network.

"Symantec's production network is completely separate from VeriSign's corporate network. Additionally, our development environment also resides on a separate network from the corporate systems network, and is hosted only in a Symantec-owned facility. Finally, the VeriSign root keys, which form the basis of SSL trust, are kept in an offline state and are never accessible on a network."

I'm not usually one to stand up for Symantec, but on this occasion it would seem that 'what if' fever has infected the media and security vendors alike, when there is nothing to actually suggest SSL certificates have been compromised.

I am not, for one moment, underplaying the seriousness of the breach. The potential for some nasty security surprises is going to linger for a while. Yet what the media, and anyone with an interest in keeping their data secure, should be doing is not speculating about certificate-based transactional security but rather putting pressure on VeriSign to come clean and tell us what was, as opposed to what was not, hacked.

VeriSign's network was hacked repeatedly in 2010, but the company does not believe its DNS servers were hit.

The company, which is the registry officer for websites ending in .com, .net and .gov, admitted to the breaches in a quarterly US Securities and Exchange Commission filing in October, Reuters found.

If the VeriSign DNS network or Secure Sockets Layer (SSL) certificate data was compromised, it could have allowed hackers to pose as official websites and dupe users out of valuable data. They could theoretically pose as a bank and gain truly important information.

The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit.

Symantec, which bought Verisign's SSL certificates business in 2010, claimed data relating to acquired products was not stolen in the breach.

"Symantec takes the security and proper functionality of its solutions very seriously," a spokesperson told IT Pro.

"The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing."

Ken Silva, who was VeriSign's chief technology officer until November 2010, said he did not know about the breach until contacted by Reuters. Furthermore, senior executives were not informed until September 2011.

"All in all, we need more details to see what exactly happened during those consecutive breaches and what data was actually stolen," said head of the Bitdefender Online Threats Lab, Catalin Cosoi, in a blog post.

"The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit. This would potentially yield a huge level of data that could be exploited for financial gain. However, it's important to remember that a strong anti-phishing solution will keep you protected."

Hackers have been going after security firms in earnest in recent times. In particular though, certificate authorities (CAs) have been targeted as they allow hackers to pose as official web services.

When CA DigiNotar was hit last year, it ended up going out of business because of the repercussions.

"These targets are all trusted third-party providers of certificates, services, or secure tokens -technologies that are extensively used to authenticate and create trusted relationships on the internet and within organisations worldwide," said Jeff Hudson, CEO of certificate management company Venafi.

"The inescapable conclusion is that these providers will continue to be compromised. The breaches cannot be stopped."

There are alternatives to the CA system, however. Noted researcher and now Twitter employee Moxie Marlinspike has offered something known as the 'Convergence' model.

With the model, users are handed the SSL certificates directly, before asking a number of "trust notaries" to download it too. It then relies on consensus from these notaries to authenticate the web transaction.

To add an additional layer of security, the user goes through a proxy notary so they will remain anonymous to the trust notaries.

Read on for our look at whether the CA system can survive.

Norton has announced the beta launch of Norton Identity Safe, which aims to use the cloud to secure multiple devices and logins.

Rather than having to carry a number of passwords for different websites, the beta sets up one master password and uses the cloud to enable it across multiple devices, be it an Android phone, iOS tablet or home PC.

Norton Identity Safe also includes Norton Safe Web, meaning in addition to the password tools, users get extra security protection on their mobile and home devices when accessing risky websites or by identifying dangerous URLs.

Research conducted by Norton claimed 38 per cent of respondents still wrote passwords down, with 45 per cent using the same login already across multiple sites. By utilising the cloud, the risk to users should be decreased, whilst still only having to remember one login.

Extra features of Norton Identity Safe include the ability to share links via social networks safely, as well as offering thumbnail images with their logins so they know it is a genuine programme.

As it is in the beta stage, Norton is keen for feedback from its users and has asked them to visit its forum to share their experiences.

Symantec is telling IT departments to disable its remote access software solution pcAnywhere after a source code leak meant the product faced an "increased security risk."

The security giant said it was reaching out to customers to warn them of additional dangers, after it admitted source code relating to various products was stolen.

Hacktivist group Anonymous had threatened to release Symantec source code earlier this month, leading the Norton provider to admit a breach in 2006 had compromised information.

Symantec recommends disabling the product until we release a final set of software updates.

Prior to today's revelation, Symantec had simply asked IT departments to ensure best practices with pcAnywhere use. The reviewed advice indicates the 2006 hack exposed more than initially thought.

"Symantec has taken an aggressive position to ensure pcAnywhere customers are protected. At this time, Symantec recommends disabling the product until we release a final set of software updates that resolve currently known vulnerability risks," a spokesperson said.

"For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow general security best practices."

From the 2006 hack, affected products include old versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), as well as pcAnywhere. Symantec Endpoint Protection (SEP) 11.0 and Symantec AntiVirus 10.2 also inherited a very small amount of exposed code.

Symantec has backtracked on how source code relating to its products was leaked, revealing its own network was hacked in 2006.

The revelation came after hacktivist group Anonymous claimed it was going to release the full source code of Symantec's flagship Norton anti-virus software.

The security giant said it believed the data acquired by hackers came after a hack in 2006, although it could not confirm to IT Pro how the break-in took place.

Symantec customers - including those running Norton products - should not be in any increased danger of cyber attacks.

Earlier this month, Symantec confirmed some source code relating to older enterprise products had been stolen. At the time, it claimed Norton products were unaffected and its own network had not been breached.

Hackers calling themselves The Lords of Dharmaraja threatened to publish the information online, saying they acquired the information from the Indian military.

From the 2006 hack, affected products include old versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack) and its remote access software solution pcAnywhere.

Symantec Endpoint Protection (SEP) 11.0 and Symantec AntiVirus 10.2 inherited a very small amount of exposed code, the company said. There are no indications customers data has been stolen, it added.

"Due to the age of the exposed source code, except as specifically noted below, Symantec customers - including those running Norton products - should not be in any increased danger of cyber attacks resulting from this incident," a spokesperson said.

"Customers of Symantec's pcAnywhere product may face a slightly increased security risk as a result of this exposure if they do not follow general best practices. Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information. Since 2006, Symantec has instituted a number of policies and procedures to prevent a similar incident from occurring."

Symantec said businesses do not need to take any additional steps to protect themselves as a result of the hack. The company recommended customers ensure their software is up to date.

For any IT departments still concerned about the source code leak, Symantec has set up an advice page here.

Symantec did not disclose the 2006 hack publicly at the time, meaning it has taken between five and six years for the breach for the security firm to reveal what happened, or that the company did not know source code had gone missing back then.

RSA was heavily criticised for not immediately publicly disclosing a breach last year, when information relating to its SecurID product was compromised.

Security giant Symantec has acquired cloud-based archiving firm LiveOffice for $115 million (75 million).

LiveOffice partnered with Symantec as its original equipment manufacturer (OEM) for the firm's Enterprise Vault offering, but will now be fully integrated into the company.

Symantec said the deal would help bridge the gap between its storage and eDiscovery units, as well as increase its presence in the cloud computing space.

Overall, it means the security firm will be able to offer on-premise, cloud or hybrid solutions, allowing for a bigger push of its governance portfolio.

"The governance of information is increasingly important to businesses," said Katey Wood, analyst at the Enterprise Strategy Group. "Companies need to simultaneously control and liberate information, letting employees freely access the information they need for maximum productivity without resulting in compliance risks to the organisation."

"By bringing together on-premise and cloud-based security, archiving, classification and eDiscovery, Symantec provides a solution that can help organisations proactively classify, retain and discover information while reducing risk and avoiding costs."

The deal completed on 13 January 2012.

Symantec today confirmed some of its source code relating to two of its "older enterprise products" has been stolen.

Although one of the products has been discontinued, another remains active, yet Symantec was not forthcoming about what those products were.

The code is four and five years old, the security giant said, and does not affect Norton products for consumers.

If the source code is recent and hackers find serious vulnerabilities, it could be possible to exploit the actual anti-virus program itself.

"Symantec's own network was not breached, but rather that of a third party entity. We are still gathering information on the details and are not in a position to provide specifics on the third party involved," a spokesperson told IT Pro.

"Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time. However, Symantec is working to develop remediation process to ensure long-term protection for our customers' information. We will communicate that process once the steps have been finalised."

Symantec said it had no further details to disclose at the time but will provide updates as it confirms "additional facts."

Reports about a source code leak emerged earlier this week, following a post on Pastebin claiming source code for Norton Antivirus was stolen. However, the claims turned out to be false.

That post contained a document from 28 April 1999 defining the Application Programming Interface (API) for the Definition Generation Service. "This document explains how the software is designed to work (what inputs are accepted and what outputs are generated) and contains function names, but there is no actual source code present," Symantec's senior manager for corporate communications Cris Paden said yesterday evening.

However, the same group behind that posting made a second claim about additional source code.

Then this morning Symantec confirmed certain source code relating to its products had been accessed.

Hackers calling themselves The Lords of Dharmaraja threatened to publish the information online, a Google cache of a Pastebin post showed.

They claimed to have acquired the information from the Indian military.

"We are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies," the message read.

Rob Rachwald, director of security for Imperva, noted many Governments require source code from vendors to prove software isn't spyware.

Although the source code leak would be "quite embarrassing on Symantec's part," it should not cause major security concerns for customers, Rachwald said.

"The workings of most of the anti-virus' algorithms have also been studied already by hackers in order to write the malware that defeats them. A key benefit of having the source code could be in the hands of the competitors," he added in a blog post.

"If the source code is recent and hackers find serious vulnerabilities, it could be possible to exploit the actual anti-virus program itself. But that is a big if and no one but Symantec knows what types of weaknesses hackers could find."

New research has found corporate laptop security lacking, while smaller firms emerged as vulnerable to cyber attack, yet unaware of their potential as targets.

A survey of 320 UK public and private sector IT managers and senior IT staff found 43 per cent did not have data or device encryption deployed to secure their business laptops and a further five per cent admitted they didn't know if encryption was in use.

The survey, conducted by eMedia, revealed only half of organisations used data encryption to protect removable media, such as USB memory sticks, removable drives and DVDs. Nearly half (44 per cent) said they had no solutions deployed to protect these devices and six per cent of respondents said they did not know if encryption was in use.

Terry Greer-King, UK managing director of Check Point Software, which sponsored the survey said: "These threats need to be addressed by a combination of education and technology so that organisations can protect their data, their business and their employees against the risks of security breaches."

A similar UK survey also carried out by internet security software firm in October 2010 found just 40 per cent of organisations had encryption deployed on their laptop, suggesting a significant proportion of businesses are still vulnerable to breaches from loss or theft of portable PCs.

These threats need to be addressed by a combination of education and technology so that organisations can protect their data.

Greer-King said new threats such as consumerisation have also emerged, and many organisations hadn't established measures to secure the use of personal laptops and smartphones in the workplace.

Nearly two thirds (61 per cent) of organisations surveyed said employees use personal devices for work (up from 55 per cent in Check Point's October 2010 survey), yet 42 per cent of the respondents said they had no formal process for deploying security to these devices, leaving corporate network at risk.

Only 17 per cent of organisations said they insisted on deploying security on personal devices used for work purposes, and 42 per cent restricted access to the organisation's network or data resources to authorised corporate devices only.

A further 73 per cent said they had not experienced an incident of data loss incident in the past 12 months, whether accidental or malicious.

Yet, despite email breaches being the second most common vector for breaches, only 32 per cent of respondents said they had any kind of data leak prevention solution to protect email traffic and sensitive files from reaching unauthorised individuals.

Another survey published today, the Symantec 2011 SMB Threat Awareness Poll [PDF], also found half of small to midsized businesses believed they were too small to be the target of cyber attacks.

Yet data from Symantec.cloud found that 40 per cent of all targeted attacks since the beginning of 2010 had been directed at companies with fewer than 500 employees, compared to only 28 per cent for large enterprises.

Over two thirds (63 per cent) did not secure systems used for online banking, while a further nine per cent admitted they took no additional online banking precautions. Nearly the same proportion (61 per cent) used neither antivirus on all desktops or mail servers or services (47 per cent).

UK foreign secretary William Hague opened the first ever London Conference on Cyberspace today by saying building a consensus over cyber issues was "a great challenge of our time."

Hague emphasised the need for greater collaboration between Governments in tackling issues such as cyber crime and web censorship.

"We need understood rules of the road," Hague said this morning in London.

The foreign secretary said there was an "apparent rise in state sponsored attacks," warning about an increase in malicious use, where the most vulnerable people and national systems were being targeted.

It will become harder to protect our users or protect our defences from being swamped.

"The scope for malignant activity will widen alongside advantages It will become harder to protect our users or protect our defences from being swamped," he added.

A spate of rumoured state-sponsored attacks have been reported this year. In October, EMC's security arm RSA said a nation state was behind a hack on the company.

Yesterday, Symantec revealed at least 29 companies in the chemical industry had been targeted by an unnamed hacking group, possibly sponsored by a nation state.

Talking more broadly about cyber crime, Hague said successful prosecutions in the cyber space needed to "become the norm rather than the exception."

Control freak-out

Hague was also firm on the Government's commitment to ensuring the internet remained open, not just in the UK but globally.

His words came on the same day 11 organisations wrote to the Government claiming domestic policy was hindering plans to promote web freedom. The Open Rights Group, Index on Censorship and Privacy International were just three of the letter's signatories.

"The Government's record on freedom of expression and privacy is less than ideal. Britain's desire to promote these ideals internationally is being hampered by domestic policy. The Government is currently considering greater controls over what legal material people are allowed to access on the internet," the letter read.

"We call for the UK Government to seize this opportunity to reject censorship and surveillance, domestically and internationally, that undermines people's rights to express themselves, organise or communicate freely. That is the only way to both enshrine the rights of citizens in the UK and to support these principles internationally."

Today, Hague said the internet should not be "stifled" by Government control.

"The internet must remain open and not become ghettoised," he said. "It is time to build on our common interest with real diplomatic weight."

Furthermore, cyber crime should not be used as an excuse for governments to censor internet use, Hague added.

Hungary is to host follow-on event to the London Conference on Cyberspace in 2012. Korea will hold another in 2013.

A host of chemical sector companies were targeted by hackers between April and September this year, as part of a coordinated campaign by an unknown group.

A number of Fortune 100 companies involved in research and development of chemical compounds and advanced materials were targeted as part of the attacks, codenamed Nitro, Symantec reported.

The group, a member of which Symantec spoke to in order to gain a greater understanding of the attacks, sought to gain intellectual property by placing a Remote Access Tool (RAT) Trojan known as Poison Ivy onto targets' machines.

Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property.

"First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update," the Symantec report explained.

"The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email."

Once the file was opened, the Poison Ivy malware would install itself on the victim's system and start communicating with a C&C server on TCP port 80 using an encrypted communication protocol.

"Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer's IP address, the names of all other computers in the workgroup or domain and dumps of Windows cached password hashes," the Symantec report continued.

"By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers. Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property."

A nations state attack?

The motives and backing of the hacking group behind Nitro remain unclear, despite some indicative information uncovered by Symantec.

The majority (27 per cent) of the infected machines identified by the security giant were located in the US, with 20 per cent in Bangladesh and 14 per cent in the UK. However, Symantec said the attackers were not targeting organisations in any particular country, as the geographical spread of hits was varied.

Instead, the security company suggested attackers were either going after sites, or individuals in certain sites, which they knew had access to particular data. The attackers may also simply have been targeting the lowest hanging fruit and attempting to dupe those with weak security, Symantec said.

Whilst China was mentioned in the report the member of the hacking group responsible from Nitro was based in the Hebei region there was no evidence to suggest a nation state was, or was not, behind the attacks.

Nevertheless, the hackers involved in Nitro targeted other industries outside of the chemical sector, making the case for a nation state's involvement more likely.

They targeted another 19 companies, most of which were in the defence industry, Symantec said.

The team behind the most sophisticated piece of malware ever seen has returned with some fresh malicious software.

Stuxnet creators have used much of the same code for their new creation, known as Duqu, which has grabbed the attention of security researchers after an unnamed independent team detected it.

However, Duqu is not as sophisticated as Stuxnet and is not targeting the same SCADA systems used in power plants.

The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Instead, Duqu has been used to acquire information in the lead-up to another Stuxnet-esque attack in the future, researchers have suggested.

A small number of organisations have been hit, including some in the manufacturing of industrial control systems.

"The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," a blog post from Symantec read.

"Our telemetry shows the threat was highly targeted toward a limited number of organisations for their specific assets. However, it's possible that other attacks are being conducted against other organisations in a similar manner with currently undetected variants."

Attacks using Duqu could stretch back as far as December 2010. The malware has been used to download a separate information stealer onto systems. That info-stealer was able to pilfer data in a variety of ways, including keystroke logging, before sending it off to a command and control centre in India inside an encrypted file.

The malware was programmed to run for 36 days before removing itself from systems.

Stuxnet similarities

Security researchers across the board have been fairly certain Duqu was created by the same team behind Stuxnet, even though there is no direct proof.

"They had to have access to the original source code, which only the creators of Stuxnet have. There are various decompilations available online. Those would not do," Mikko Hypponen, chief research officer at F-Secure, told IT Pro.

"It's perfectly possible they [the team behind Stuxnet] did a similar information-cathering phase in 2008 or 2009 for the original Stuxnet and we just missed it."

Aside from the code similarities, Duqu's driver files are signed with certificates apparently stolen from a Taiwanese company, as were Stuxnet's.

Certificates were stolen from RealTek and JMicron in the case of Stuxnet, whereas in Duqu only one was compromised - C-Media Electronics Incorporation.

In recent cases, certificate authorities have been compromised so hackers could issue fraudulent certificates, as was seen with the now-defunct CA DigiNotar. However, the certificate used to sign Duqu appears to have been stolen somehow, even though McAfee's analysis suggested otherwise.

"Symantec has known that some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer," the security giant said today.

"Symantec revoked the customer certificate in question on 14 October 2011. Our investigation into the key's usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware."

(Source: Wikipedia)

COMMENT In the space of a few hours, two big announcements from the security information and event management (SIEM) industry hit yesterday.

Intel-owned McAfee decided it wanted a piece of the pie so it snapped up Nitro Security.

Meanwhile, IBM joined the party by agreeing to acquire Q1 Labs a company which was adamant it was not for sale just 12 months ago.

Last year, HP spent an absolute fortune on getting its mitts on ArcSight - a company then (and still) ranked as the market leader.

This would all indicate the SIEM industry is rather big one. The irony is, these three major acquisitions may actually herald the end of the SIEM market as we know it.

It's not an industry, it's a feature

In all three acquisitions noted above, the acquired party has or will see its technology rolled into a bigger package. In the case of Q1 Labs, it will form part of an entirely new division within IBM. Recently-appointed CEO of Q1 Labs, Brendan Hannigan, will even head that division once the deal goes through.

Everyone knows that SIEM is just one layer of what companies would need for effective protection, but these recent acquisitions have indicated SIEM is not an industry on its own. With these big deals came an acceptance that SIEM is really just a feature.

During a press conference yesterday, Hannigan even admitted that SIEM was just a part of what he called "security intelligence."

"The end point is security intelligence which is broader than SIEM," Hannigan told IT Pro.

"Firms that focus just on log management and event correlation will be limited. Security intelligence is the key."

Hannigan said the best way for Q1 Labs to provide its services to end customers was to through a larger vendor in this case IBM. "We will be able to offer significantly better solutions than we could have done before," he added.

Put simply, expect the rest of the SIEM industry to be gobbled up by tech giants in the coming months. Their products will also be rolled into existing, wider ranging security offerings, leaving the sector looking rather thin.

Just like deduplication in storage, SIEM is just a piece of a larger pie that vendors won't be able to rely on as a sole selling point in the future.

What will Symantec do?

So HP, IBM and McAfee have all joined the party. That leaves one notable absentee: Symantec.

Earlier this week, Symantec CEO Enrique Salem said his company was considering spending another $1 billion on acquisitions. However, Salem did not mention the SIEM, or security intelligence, segment. Instead he focused on mobile, virtual spaces and the cloud.

Nevertheless, with chief rival McAfee making a splash yesterday, Symantec will be keen to show it isn't off the pace.

Of course, Symantec already has a product in the area the unimaginatively titled Security Information Manager.

But to consolidate its dominance of the security landscape, it will want to have the best of breed in the intelligence space. With others acquiring some impressive companies, Symantec would do well to show it wants to be a serious player in this space.

So who could it be looking at? Rapid7 is one growing company in this area. Just today it announced it was expanding into Europe with a new base on the continent.

However, it didn't appear on Gartner's SIEM Magic Quadrant from earlier this year. Now that Q1 Labs and NitroSecurity have been snapped up, the best option from Gartner's rankings appears to be LogLogic.

It is still a relatively small comoany, with just 150 employees, but that might make it even more attractive for a prospective buyer, given how highly rated the company is.

Symantec has had its options cut thanks to IBM and McAfee, but there's still plenty of choice.

We'll just have to wait and see if Salem will want to splash some of the companies millions (possibly billions) on an intelligence firm. It would be a smart move doing so sooner rather than later.

Symantec today launched a platform designed to keep cloud applications and infrastructure safe from cyber security threats.

Symantec O3 unveiled at the company's Vision conference in Barcelona works for both public and private cloud infrastructure by allowing businesses to extend their internal security policies out to the cloud.

It aims to create a single "control point" for all cloud services a firm uses, keeping the same identity and information security for each employee across every solution, be it application or infrastructure-based.

The first feature is the cloud access control layer, which enables companies to keep their existing identities but help them federate it across their multiple cloud services.

Next is the information security layer, which draws on Symantec's existing DLP and PGP encryption solutions, stopping any confidential information entering the cloud before it is encrypted.

Finally there is the monitoring aspect to O3, alerting businesses to any significant security events and giving them the full picture of what is going on across their cloud environment.

"As organisations work to embrace cloud delivered services, they struggle to balance the potential upside benefits against the many challenges created as their sensitive information flows between an increasing number of solution providers, over networks, through organisations and down to devices outside of their infrastructure," said Art Gilliland, senior vice president of the information security group at Symantec.

"Symantec O3 will provide the visibility, control and protection they need to confidently embrace cloud computing."

The platform is currently in the early stages of beta testing but Symantec plans on a general release for some time in 2012.

Mixed messages

In the statement accompanying the release of Symantec O3, the company made claims security was still blocking the adoption of cloud computing, saying: "These new cloud platforms are not inherently insecure but comprehensive security and compliance solutions for the cloud are still missing."

However, the launch of Symantec's State of Cloud' survey today didn't convey this message.

It seemed the vast majority of the 5,300 respondents 87 per cent claimed moving to the cloud would either not affect or even improve their company's security.

Yet, the mixed messages continued as security was cited as the top concern for all of these organisations.

Francis deSouza, group president of enterprise products and services at Symantec, said: "To be confident in the cloud, IT organisations must take measures to ensure they have the same visibility and control of their information and applications whether they are in the cloud or residing on their own infrastructure."

Regardless of their views on cloud computing, it seems there is still some way to go before the discussions turn into practice.

Whilst over 75 per cent have talked about cloud and 73 per cent had dipped their toe in by adopting some form of cloud service, such as email, less than 20 per cent had fully implemented cloud, with two-thirds still discussing if they would ever take that step.

Questions also remain over whether IT staff can handle the jump. Nearly half of the respondents said their IT department wasn't prepared for the shift and just a quarter of their teams had experience with some type of cloud implementation.

Symantec also today launched a data loss prevention solution for the iPad and other tablets.

Security giant Symantec today unveiled a data loss prevention (DLP) solution for tablets to keep tabs on crucial company information, with the iPad version the first to launch.

As noted by IT Pro last month, Symantec is placing greater focus on DLP as it recognises some threats will inevitably get through its other security offerings.

The vendor has taken this strategy through to tablets, saying Symantec Data Loss Prevention for Tablet will provide "content-aware protection" designed to protect sensitive data.

With the massive growth in tablet adoptions, customers have struggled how to extend information protection to this new consumer tool.

"With the massive growth in tablet adoptions, customers have struggled how to extend information protection to this new consumer tool as it makes its way onto the enterprise networks," said Art Gilliland, senior vice president for the Information Security Group at Symantec.

"Symantec Data Loss Prevention for Tablet will enable IT to better support their businesses in adopting this new technology, while also maintaining strong protections for their sensitive information."

The iPad version is expected to be released in early 2012, with support for Android tablets coming later in the year, Symantec said during its Vision conference in Barcelona.

The product ties into other Symantec DLP and mobile solutions, meaning IT departments can use the same policies for tablets as they use for other devices.

The service will be charged on a per-tablet basis.

Symantec customers with Symantec PGP Universal Server can already enjoy some iPad-related security. The PGP Viewer for iOS, currently available on the Apple App Store, allows users to read encrypted messages.

Symantec was recently made to look a tad sluggish by McAfee, after its main rival put out an all-in-one security solution.

McAfee All Access, designed to protect Macs, PCs, smartphones and tablets, was made available last week.

According to reports, Symantec won't be delivering a similar product until next year.

Email-borne polymorphic malware tripled in September, raising fears over the worth of traditional anti-virus technologies.

The signature-shifting forms of malicious software accounted for 72 per cent of all email-delivered malware over the month, up from 18.5 per cent in August, Symantec.cloud data showed.

Some particularly nasty types of polymorphic malware has been in circulation over the past few years. Virut is one particularly dangerous piece of software that remained in Symantec's top 10 table for malware blocked at the endpoint in September.

Anti-virus technology cannot rely on signatures and heuristics alone.

W32.Sality is another and it took the number one spot this month. Both strains are associated with botnet activity.

The biggest worry for IT departments over this kind of malware is its ability to change its encryption key. This means it can't be spotted by anti-virus products relying on signature-based detection systems.

"This is something that anti-virus technology can sometimes struggle with, and many will employ emulation techniques to allow the malware to partially run in a controlled sandbox environment," Paul Wood, senior intelligence analyst at Symantec.cloud, told IT Pro.

"The latest strains of malware identified in the Symantec Intelligence Report for September include mechanisms for changing the start-up code in almost every version of the malware, subtly changing the structure of the code and making it harder for emulators to recognise the code as malicious. Anti-virus technology cannot rely on signatures and heuristics alone."

There is something of a war of words going on in the security industry at the moment about the best protection for modern threats like polymorphic malware.

The old guard, including Symantec, have been accused of using old technologies to solve new problems. In particular, the use of database detection systems has been criticised.

Yet Symantec believes its cloud-based Insight technology is more than capable of helping block zero-day or polymorphic threats, even if it isn't truly real-time.

Insight looks at the "integrity of an executable based on knowledge of its reputation and distribution in the real-world," Wood said. Essentially, the technology still relies on past facts to determine the safety of a file, but it can get hold of those facts fairly quickly to make an assessment.

Some rivals, such as M86 Security, claim this isn't fast enough.