In September of 2009, Symantec released its first reputation-based security offering as a part of its consumer security products. Our experiences over the past year have provided us with valuable insight into potential challenges and pitfalls of deploying a widespread file reputation system. They've given us insight into the types of threats that can be effectively detected using a reputation system and they have helped us to understand how to adjust the system to maintain its overall effectiveness over time.
This paper presents an analysis of the real world effectiveness of reputation based security in detecting new malware. First, it provides an overview of the concept and how it is implemented in the overall context of our security products. We then present techniques used to measure the effectiveness of this technology (true positive and false positive rates) as well as the technical challenges we faced in evaluating this brand new anti malware detection approach. The paper concludes by summarizing the overall impact of reputation based security on the malware threat space and, more generally, on the AV industry.