Startup unveils anti-malware browser add-on
Can its plan outflank Symantec, McAfee and the rest?
By Gregg Keizer, Computerworld | Computerworld UK | Published: 01:00, 13 July 2007
A startup founded by four former Microsoft employees has released a beta of a real-time malware-blocking tool that also bars malicious content from reaching PCs.
Seattle-based Haute Secure's eponymous malware/site blocker enters a market crowded with the likes of McAfee's SiteAdvisor, Symantec's AntiBot, Exploit Prevention Labs' LinkScanner and even offerings from Google. Haute Secure, however, is counting on a multilayer strategy to see it past rivals.
The first layer, said Steve Anderson, who heads the company's product strategy, is a kernel-level driver that looks for and stops executables coming out of the browser. By monitoring multiple Windows processes and services - nearly six dozen in total - the tool watches for malicious behaviour, then blocks execution when it sniffs something dangerous. "We're hooking API [application programming interface] calls to the kernel and watching for malicious behavior coming from the browser," said Anderson.
A second layer blocks the links from which malware is delivered, he added. That tactic is probably more familiar to end users, since it's the technique used by Google's blacklisting efforts, which will be the foundation of a new feature in the upcoming Firefox 3.0. "We're blocking at the site and the page level," said Anderson, noting that many domains have multiple malicious URLs.
Haute Secure, which is currently ready only for Internet Explorer users - a Firefox version will roll into beta next month, and one for Apple's Safari is due out sometime after that - stores the malicious site/page blacklist locally to avoid performance problems, and it updates blacklists several times daily.
The software also can accept multiple blacklist feeds, a characteristic Haute Secure is counting on to deliver revenue down the road. "The way the system is designed, we can take numerous feeds from multiple sources," said Anderson. "In August, we'll [integrate] Google's antiphishing antimalware API, for example. The bigger idea is that we want to be the trusted platform between the Internet and users or enterprises."
A bank, for instance, that already collects the addresses of sites spoofing its legitimate online service, could add its feed to Haute Secure to guarantee that customers who use the tool would be protected.
Haute Secure will remain free to download and use while it is in beta testing, a process that will run into September. After that, Anderson said, plans are less clear. "We may charge for using the malware-blocking feature, since we think link scanning will be more and more commoditised." Under that plan, the blacklist-based layer would be provided free. Another revenue possibility, said Anderson, is to sell a malware-scanning service to companies that fear that their legitimate sites may be hacked at some point and start spewing malicious code. "That's an interesting model, too," said Anderson.
Haute Secure's other principals include Iain Mulholland, a former manager of the Microsoft security response centre; Frank Swiderski, a security researcher and developer who once worked at Microsoft, @Stake and the US Department of Defense; and Rob Vucic, a former Microsoft security researcher who was cited by the FBI for his help investigating the long-running and wide-ranging Zotob/Mytob worm attacks of 2005.
The Internet Explorer add-on, which runs on Windows XP and Vista - including the 64-bit version of the latter - can be downloaded from the Haute Secure site.