Hi guys,
I read about this new mechanism the Anti virus companies mark as the future AV technology - Reputation protection.
I'm curious to know how such thing might work,
will they send every file of mine to check (even private files? or my executables?),
if they won't send the whole file, what would they? and what if I'm not online? will it buffer the info or just ignore it?...
Is this thing already working, 'cause I haven't notice any difference...

Thanks,

All I found on the matter is this article: http://www.scmagazineuk.com/symantec-re ... le/213609/

The gist of it seems to be that they keep a whitelist of known clean files, and that the dynamically add to this whitelist when one of their installs comes across a new file.
I would guess that they have the whitelist cached for offline use.

As far as sending the entire file, they don't. It's still signature based, so your personal information is still safe. (For now.)

But most of this is probably going to be slightly different for every AV vendor's implementation.

Thanks for the reply,

But what will happen in case they see an unknown file? you can't just add it to the whitelist since it might be malicious, and if you scan it on the client's computer the result might not be accurate...

As far as I understand, it'll only be added to the whitelist if the file is detected on a, or several machines that have never been infected so far. But again, this would be highly vendor implementation dependent of course.

mmmm.... I can understand the what's behind this idea, but I'm in doubt if it's that simple,
as it will be trivial to bypass by creating a new "clean" machine and copying the malicious file into it.
There should be a way to manage such trials to subvert the mechanism.

Everything can be bypassed. But I don't expect any AV vendors to rely entirely on this mechanism.
Instead, what you'd expect to see is this being implemented alongside existing stuff, and having this new technique be applied to try and stem the tide of payloads generated on the fly.
Besides, having it run from a clean machine is not as easy as it sounds. You could fairly easily set up a VM, but you would probably also need a clean IP address/address block.

Also, you should take into account that they'll probably not whitelist an item when they have one place where it is. And even if they do, I'd expect they'll quickly reverse that whitelisting if it then shows up on 80 bad machines.

I would imagine that it's mostly useful in preventing polymorphic worms and viruses from evading detection as easily as they do now.