Forgot your password?
typodupeerror
Google Security

Google Uses Reputation To Detect Malicious Downloads 61

Posted by samzenpus
from the If-you-lie-down-with-dogs-you-get-up-with-fleas dept.
CowboyRobot writes "Using data about Web sites, IP addresses and domains, researchers find that they can detect 99 percent of malicious executables downloaded by users, outperforming antivirus and URL-reputation services. The system, known as Content-Agnostic Malware Protection or CAMP, triages up to 70 percent of executable files on a user's system, sending attributes of the remaining files that are not known to be benign or malicious to an online service for analysis, according to a paper (pdf) presented at the Network and Distributed System Security Symposium (NDSS) in February. While the system uses a blacklist and whitelist on the user's computer to initially detect known good or bad files, the CAMP service utilizes a number of other characteristics, including the download URL, the Internet address of the server providing the download, the referrer URL, and any certificates attached to the download."
This discussion has been archived. No new comments can be posted.

Google Uses Reputation To Detect Malicious Downloads

Comments Filter:
  • Google ... (Score:2, Insightful)

    by Anonymous Coward

    Google, we want to scan your computer for you too. All that other stuff we find ... you know, the personal stuff or the illegal downloads or copyrighted stuff ... we promise not to see it.

    • Google Desktop search was by far one of the best tools for desktop searching I've ever used. I really actually enjoyed the integration into my normal search results (when it worked).

      I do see your concern though.

  • Business karma (Score:4, Interesting)

    by jbmartin6 (1232050) on Monday April 08, 2013 @08:54AM (#43390217)
    It is interesting to see how karma works in the business world. Microsoft has been doing this for quite some time, with a few differences in implementation. But when Microsoft does it, we see that they are spying on us [slashdot.org]. When Google plays catch up, it grabs headlines for fighting malware.
    • by Lisias (447563)

      Funny thing is that Google, indeed, makes a living using user (meta)data, while Microsoft just wants to sell you software.

      The fox guarding the henhouse?

    • Microsoft is willing to give back to the public? I think that is the difference.

    • Re:Business karma (Score:5, Informative)

      by 14erCleaner (745600) <FourteenerCleaner@yahoo.com> on Monday April 08, 2013 @10:22AM (#43391071) Homepage Journal
      As TFA notes, Microsoft sends information on all scanned files back to a central server, but Google does local evaluation and only sends back info on suspected malware. From a privacy standpoint, there's a big difference between the two.
      • Re:Business karma (Score:4, Insightful)

        by LordLimecat (1103839) on Monday April 08, 2013 @11:56AM (#43392033)

        This is the huge irony of Microsoft et al trying to create panic over Google's privacy issues; of all the large online service providers, Google is up there as one of the best in regards to reliability, privacy, etc.

        But no, lets all ditch Google for Bing because of privacy issues. Everyone knows that Bing is lots better (when theyre not cooperating with the Chinese gov't).

      • TFA says Google's implementation first checks a local cache of known good and bad files. All other files get the info sent to Google for evaluation. That's a lot wider than "only sends back info on suspected malware". As I said, a difference in implementation, and one that certainly makes sense even just considering network and server resources. But there are no details given on what gets into the whitelist. Google can leave anything it wants to track off the whitelist, just like Microsoft could do all sort
  • by lseltzer (311306) on Monday April 08, 2013 @08:57AM (#43390237)
    It's only in Windows 8, but Microsoft does the same thing.
    • by game kid (805301)

      Except that, on IE, I've definitely had downloads SmartScreen'd (and even a few blocked by the same) on Windows 7 (and I forget if I did on Vista as well). Less-frequently downloaded stuff (like, say, MAME versions released within the day and obscure SourceForge stuff or whatnot) trigger dialogs as well, because SmartScreen takes note of what (.exes, in particular, but other stuff I think) gets downloaded, how often, and which of those get reported as unsafe.

      • by lseltzer (311306)
        Like I said, it's on Windows 8. On Windows 7 SmartScreen only has reputation on sites, not files. A file that Microsoft has never seen before can rightfully be judged as suspicious. If it's something you know is OK, for instance because you compiled the program, then you know more than they do.
    • by qaz123 (2841887)
      SmartScreen just counts the number of downloads. You can compile a Hello World application, put it on your website and SmartScreen will warn anyone that your file is "potentially dangerous" until it reaches a certan number of downloads. This applies even to signed files. Very bad thing for those who tries to sell their software online
      • by tepples (727027)

        This applies even to signed files.

        I've read that it's less likely to apply to signed files if you've released other files that have "reache[d] a certa[i]n number of downloads" under the same certificate.

        • by lseltzer (311306)
          Right, if you distribute software then you should sign the files and the reputation of the file will follow the reputation of the key.
          • Theoretically, distributing software using a self-signed certificate, as is done on Android, would create a "key continuity" situation that would allow "the reputation of the file [to] follow the reputation of the key". But I was under the impression that the warnings for downloading software with a self-signed certificate were even sterner than the warnings for distributing completely unsigned software. So what should a hobbyist software developer do to avoid a recurring fee of $100 to $200 per platform pe
  • False positives? (Score:4, Insightful)

    by pablomme (1270790) on Monday April 08, 2013 @09:10AM (#43390327)

    1% of false negatives is good, but how about false positives?

  • http://tot-ltd.org/techinf.html [tot-ltd.org]

    NSRL is also a pretty good site to get a comprehensive whitelist from. Best of all, the whitelist database is free, and used for forensic file analysis. The only mildly difficult part is sometimes keeping up with the release of new malware, but that's why I implement several other databases, including one based on API calls in known hostile applications. The really interesting thing with API groups, is that you can identify which piece of new malware most likely belongs

Science is to computer science as hydrodynamics is to plumbing.

Working...