Startup pitches smarter AV

With a name like Robot Genius you wouldn’t expect the company’s leaders to be modest, but the more you hear the firm’s Chairman Stephen Hsu talk about his startup’s new approach to anti-malware, the more you believe the name might fit.

On April 30, the company founded by Hsu and James Hormuzdiar– a partnership best known for building SSL VPN provider SafeWeb and selling it to Symantec for $26 million in 2003 — will formally introduce a trio of behavior-based security products.

By taking a radically different approach to scanning the Web for malware code and using massive computing power to filter out every URL on the Internet responsible for serving up infections, Robot Genius’ technologies will change the way people view anti-virus tools, Hsu said.

“We’re entering an era where the scalability and bandwidth of machines allows for constant monitoring for malware by looking at the entire Web and studying every piece of downloadable software that’s available,” said Hsu. “Meanwhile, the current generation of virus-scanning applications, even behavior-based tools, has reached its limits in terms of finding the most sophisticated attacks, and lacks the ability to adequately fix problems once they’re found.”

There are only a small number of sites that offer immediate “drive-by” style infections online today, according to Hsu, with the majority of attacks still dependent on user-driven executable downloads. By choking off the malware sources themselves, the vast majority of viruses can be defeated, he said.

By marketing the tools to firewall makers, search engine companies, and Internet service providers, rather than customers themselves, the firm contends it can stop attacks long before they end up on people’s desktops and create a lucrative technology licensing business.

At the core of Robot Genius’ technology portfolio is its Web crawling technology, dubbed RGCrawler, which has been designed as an automated system for identifying online executables and testing them for malicious behavior. With no human intervention, the system claims the ability to find, download, and test every .exe file online and create a blacklist of suspicious programs.

By scouring each of the estimated 3 million executable file paths on the Web and scanning new programs almost as soon as they appear, Hsu claims, the system is far superior to its rivals, especially in terms of identifying zero day threats.

Based on the company’s research thus far, roughly 5 percent of all downloadable on the Web are some form of unwanted software, including attacks and unlawful adware.

Through locating the exact sources of threats, versus infected Web sites simply used as shills for distributing the malware code, the inventor claims that the system outflanks increasingly popular reputation-based URL filtering technologies such as McAfee’s SiteAdvisor. RGcrawler also looks at executables individual characteristics, such as their uninstaller functionality, to determine whether or not something is a threat.

Results of the .exe scans, carried out via Robot Genius’ Oakland-based server farm, are stored by the firm in an XML database which includes information about the programs’ host URLs and browser exploits, along with specific data about their attempts to infect computers, such as the registry modifications that threats seek to make.

“We all know how easy it is for the bad guys to modify their attacks even slightly to try to remain hidden, and that most AV systems won’t catch those variations,” said Hsu. “It’s also harder to detect malware, versus find the actual URLs responsible for handling the code; malware writers tend to change code a lot, but it’s harder for them to move the location of their work, especially if they’re trying to get attractive search engine ratings.”

One of the truly innovative aspects of the company’s technology is its ability to recreate the human interaction needed to download and test every executable it finds, Hsu said. Complex end user licensing agreements (EULAs) and downloading tasks made this a complex piece of technology to perfect, said the inventor.

According to Robot Genius’ internal tests against anti-virus engines from leading vendors in the space, Hsu said its tools catch 33 percent more malware strains than its rivals’.

Hsu said that the firm believes that it currently has the largest collection of Web-based malware code in existence based on the efficacy of its crawling technology.

Robot Genius will also unveil RGguard, a browser plug-in tool that actively monitors Web site activity as end users surf the Internet and provides them with warnings about potentially dangerous URLs or downloads. To help protect against legitimate programs hijacked by hackers, the system is fed data about the exact full path URL data of known threats.

An RGguard Enterprise Edition of the software — to be marketed by Robot Genius licensees to IT administrators — promises to stop users from downloading or browsing known malware sources.

The third product introduced by the firm, dubbed Spyberus, is a behavior-based client meant to track all the files installed on a particular system to look for malware infections. In addition to closely monitoring file and kernel activity, and anything written to a machine’s hard drive, the program also claims the ability to reverse almost any malware infection.

In addition to a “take control” feature designed to immediately halt any malware-driven processes on a PC and make it easier to debug, Sypberus hosts a “program activity history database” that includes all the data needed to ensure that every file and registry related to a particular threat can be entirely purged from a device.

The feature is also useful for simply cleaning up older PCs, the company claims.

“This ability to remediate is what most AV vendors don’t have nailed down,” said Hsu. “And it doesn’t do you much good if you clean out only some of the files created by a malware program when some that are missed could lead to future infections; we think this is a feature that will save users a lot of man hours, maybe even billions in the enterprise where so many workers and consultants are needed to address this aspect of security.”

An enterprise version of Spyberus is also slated for introduction next week.