WHITE PAPER

Zero Hour Virus Protection: Defending Against the

Unknown
Sponsored by: VirusBuster, BlueCat, G-Data, AhnLab, Commtouch

Dan Yachin, Research Director, EMEA Emerging Technologies

August 2005
Central and Eastern Europe, Middle East/Africa Headquarters MALE NAMESTI 13 110 00 Praha 1 Czech Republic

IDC OPINION
Despite the massive deployment of antivirus solutions, viruses and other types of
malware are still the greatest security threat for enterprises. Fighting malware is a
perpetual war, in which attackers constantly identify and target emerging
vulnerabilities order to stay one step ahead of defenders. Today, many rapidly
propagating attacks are aimed at the weak spot of traditional antivirus solutions,
which are based on developing new signatures for new threats – a time-consuming
process (hours-long at best) that creates a window of vulnerability where end users
are unprotected. In light of these threats, organizations can no longer solely rely on
reactive signature-based solutions. To protect against new and unknown threats,
more proactive approaches should be applied, providing improved response times
without compromising detection levels.

METHODOLOGY
IDC developed this white paper using a combination of existing market forecasts and
direct, in-depth, primary research. To gain insight into the challenges of fighting
modern malware, especially sophisticated rapidly propagating threats, and to learn
about how Commtouch's Zero-Hour Virus Protection can help mitigate associated
risks, IDC interviewed the company team on the issues of technology, product
offerings, competitive landscape, and go-to-market strategy. IDC also interviewed
vendors employing Commtouch's technology including BlueCat Networks and
VirusBuster.

IN THIS WHITE PAPER

This IDC white paper looks at the problem of zero-hour malware outbreaks that are
aimed at infecting as many machines as possible before vaccinations are available. It
P.420.2.2142.3140

provides an overview of traditional signature-based antivirus technologies and their

weaknesses in protecting against this type of attack, and examines different proactive
virus detection and protection approaches.
EXECUTIVE SUMMARY
More than two decades since their first appearance, computer viruses remain a
serious problem. The financial costs of viruses are still substantial as defenders
struggle to keep up with the growing sophistication and effectiveness of malware
attacks. The emergence of rapidly propagating malware designed to cause mass
infection before signatures are available has taken the armament race between virus
writers and antivirus developers to a new level. These attacks are becoming
increasingly sophisticated: some of the most recent malware outbreaks introduced
new threats such as multi-variant viruses, and spyware-carrying worms that use a
spam-like distribution technique to propagate. In order to fight these threats
effectively, new approaches towards proactive virus protection are more important
than ever. One of these emerging approaches is Commtouch's Zero-Hour Virus
Protection technology, which enables detecting any type of attack that carries the
characteristics of a massive outbreak, regardless of its payload.

SITUATION OVERVIEW

Current Malware Trends

Malicious software, or malware, is a general term for any software that is designed to
cause damage to computer systems when executed. This definition refers to various
types of malicious code (e.g., viruses, worms, Trojan horses, zombies, trapdoors,
logic bombs, key loggers), but the most common and damaging are replicating
malicious code programs, known as viruses.

Viruses have come a long way since the early days in which they spread from one PC
to another via diskettes. To a large extent, it is no longer the playground for amateurs
that fall into the stereotype of bored teenagers seeking notoriety. Today's malware is
in many cases the business of professionals and even criminals. Correspondingly, the
motivations that drive malware authors are changing and a growing number of attacks
are financially-driven rather than simple pranks.

In light of the growing sophistication of malware, the effectiveness of attacks is on the

rise and so is the financial impact. According to the CSI /FBI 2004 Computer Crime
and Security Survey report, viruses were the type of security incidents that generated
the largest losses in 2004.

On the surface, these findings may seem puzzling given the fact that antivirus
solutions are used by the vast majority of organizations. Still, in a recent IDC survey,
90% of large companies were hit by a successful virus attack this year; moreover,
40% reported 11 or more successful attacks in 12 months (see IDC's Enterprise
Security Survey 2004, #32593).

2 # ©2005 IDC
FIGURE 1

Number of Successful Attacks in the Past 12 Months by

Company Size
Q. How many attacks, including (but no limited to) viruses, hacks, Trojan horses, and worms,
against your company's enterprise network defenses successfully breached security in the
last 12 months?

n = 477

Note: Small companies are those with 1-99 employees; medium-sized companies are those with
100-999 employees; large companies are those with 1,000-9,999 employees; and very large
companies are those with 10,000+ employees.
Source: IDC’s Enterprise Security Survey, 2004

The Weak Spot of Traditional Antivirus

Approaches

The growing effectiveness of malware can be explained by its dynamic nature.

Malware writers make concerted efforts to find weak spots in enterprise security
systems, and to overcome them. In this regard, malware writers have realized that
organizations' reliance on signature-based antivirus products creates a significant
window of vulnerability, and are targeting it in various ways.

The problem of signature-based AV solutions lies in their reactive nature. A signature

development cycle consists of obtaining a sample of that virus (which means a new
threat can only be identified when it is already on the loose), initial virus signature
development, production-level signature development, and eventually customer
update – an hours-long process at best, in some cases 24 hours and more. According

©2005 IDC # 3
to AV-Test, a German-based independent lab that is constantly testing the
performance of leading antivirus products, the response time of signature-based
antivirus solutions averages 10 hours (see Table 1 below). These results were
received from a testing done last year, which was aimed at measuring the response
times in 45 major malware outbreaks.

TABLE 1

Outbreak Response Time Test Results

Response Time AV-Vendors

Less than 2 hours N/A

Less than 4 hours Bitdefender, Kaspersky

Less than 6 hours AntiVir, Dr. Web, F-Secure, Panda, RAV

Less than 8 hours Quickheal, Sophos

Less than 10 hours AVG, Command, F-Prot, Norman, Trend Micro,

VirusBuster

Less than 12 hours Avast, eTrust (CA)

Less than 14 hours Ikarus, McAfee

Less than 16 hours eTrust (VET), Symantec (Intelligent Updates, but

not LiveUpdates)

Notes:
Beta definition updates from McAfee (DailyDats) and Symantec (Rapid Release Definitions) were usually available within
less than 4 hours.
Many larger AV companies have Service Level Agreements (SLAs) for a predefined response time with special signature
updates (which are not publicly available).
Response times refer to the time required to detect the main malware component, but not for (possible) dropped files (e.g.,
keyloggers). Only 7 out of 24 tested AV companies were able to detect the dropped components with the first update (or
with a second update that was available a few hours later): AntiVir, AVG, eTrust (VET), McAfee, Panda, Sophos, and Trend
Micro.
Some companies required a few days to weeks for full detection (or even full repairs).
Source: Antivirus Outbreak Response Testing and Impact, Andreas Marx, AV-Test.org (presented at the Virus Bulletin 2004 Conference in
Chicago)

As seen in Table 1, given current response times, signatures developed against new,
rapidly propagating attacks can only slow an outbreak but cannot prevent the mass
infection in the first hours. In the notorious MyDoom attack, for example, it took 6.5
hours from first detection (by MessageLabs) for the outbreak to peak, but the initial
signature was released (by McAfee) almost 8 hours after first detection. It took nearly
9 additional hours before most leading antivirus vendors released production-level

4 # ©2005 IDC
vaccinations. The speed of propagation was a key to the "success" of MyDoom,
which according to different estimates caused more $30 billion worth of financial
damage.

Another drawback of the signature-based approach is the need to produce a unique

signature not only for brand new viruses but also for mutations or variants of existing
viruses. And as the current daily rate of viruses or virus variants found is about 75 to
100 (compared to numerous viruses only two years ago), according to AV-Test,
fighting malware with signature-based weapons becomes a perpetual battle.

Exploiting the Window of Vulnerability

Recent malware propagation techniques can be categorized into four main classes –
all of which aim to exploit the early-hours weak spot of the signature-based antivirus
approach.

The Speed Factor: Mass-Mailing Worms

Perhaps the single most notable characteristic of modern malware is its speed of
propagation, which is the main factor in the success of mass-mailing attacks such as
MyDoom, Netsky, and Beagle. These attacks spread by sending email messages
containing an infected executable attachment. When the attachment is opened, it
sends spoof email messages containing the attachment to email addresses harvested
from the infected computer. In the MyDoom case, this infection technique allowed the
worm to reach mass distribution in only a few hours (approximately 100 million
infected machines within 36 hours, according to various estimates).

Achieving high propagation rates is clearly one of the main design goals of malware
authors today. Modern viruses and worms are not immune to vaccinations – they are
designed to infect as many computers as possible before vaccinations are available.

The Volume Factor: Spam-Like Attacks

Unlike worms that propagate by moving from one machine to another, a spam
outbreak targets multiple destinations in an extremely short period of time.
Harnessing spam-like distribution techniques for the purpose of distributing malware
is a new and extremely concerning trend. Unlike worms that spread from one
computer to another, this type of malware is sent in one massive blast.

Attacks using such zombie propagation methods can distribute 100-200 million
messages within several hours (usually less than 5 hours). In other words, by the time
the first antivirus production-level signatures are ready, the distribution cycle is
already completed. This technique is highly effective for Trojan and spyware
distribution, and is therefore often being used in attacks made for material gain.

The Durable Threat: Multi-Variant Viruses

In some of the most recent malware attacks, a new phenomenon of multi-variant
viruses has been spotted. In this scenario, malware writers prepare an "arsenal" of
virus variants. The malicious action itself is the same in all variants, but they differ
enough so that they cannot be blocked using the same signature. As the variants are

©2005 IDC # 5
released in time intervals, by the time antivirus providers produce a signature for one
variant, a new variant has already been already released.

Such an attack not only exploits the AV window of vulnerability, but it also extends it –
keeping end users virtually exposed throughout the entire duration of the attack.
Some of the latest multi-variant attacks lasted days, with a new variant released every
day. Other recent attacks used intervals of about 4 hours, aiming at the estimated
minimum time required for developing new signature.

The Elusive Threat: Blended Attacks

Blended threats combine the characteristics of viruses, worms, and Trojan horses,
and usually exploit known system vulnerabilities to spread through multiple channels
(email, Web, etc.). They are extremely difficult to block, since they often fall beyond
the scope of traditional antivirus solutions. The classical example of a blended attack
is “Code Red”.

Blended threats often come in the form of (but are not limited to) Trojan horses used
to create backdoors for sending spam or for launching a Distributed Denial of Service
(DDoS) attack. In this scenario, the attacker uses the backdoor to remotely control a
group of infected machines (zombies), and to take down a specific Web server by
flooding it with multiple simultaneous requests.

Phishing – A “No Man’s Land” between Spam

and Malware

In addition to the above-mentioned propagation techniques, phishing is another type

of threat that exploits current vulnerabilities in traditional security solutions.

The term "phishing" refers to an online fraud technique where a spam message is
sent or pop-up appears that seems to be from well-known of banks, credit card
companies, insurance companies, online retailers, and ISPs. Disguised as a
legitimate request for updating or verifying personal information, the spoof message
refers users to the phisher's phony Web site, tricking them into revealing personal
financial information such as credit card numbers, social security numbers, bank
account numbers and passwords. The data can then be used for credit card fraud,
identity theft, stealing money, and so on.

From the security standpoint, phishing presents acute detection and blocking
challenges, for antivirus as well as anti-spam engines. Technically speaking, phishing
is neither spam nor a virus: since it involves no malicious code or even an
attachment, antivirus solutions are completely ineffective against it.

From a technical point of view, phishing campaigns are no different from spam, and
often use the very same propagation techniques. But since most anti-spam solutions
are designed to block spam according to specific text and content attributes, they are
not always successful in blocking phishing messages that appear legitimate.

Unlike spam, which is marketing-driven, phishing has malicious intent; more than just
annoying, it is considered a security threat. Like malware (but not spam), a failure to
block even a few phishing messages at the gate can result in severe damage.

6 # ©2005 IDC
Security managers therefore tend to group phishing with malware, and expect it to be
blocked by their antivirus providers.

Fighting Malware: The Emergence of

Proactive Detection

Malware attacks are becoming much less predictable and more sophisticated, and
are being undertaken using multiple methods. They differ in form, in propagation
technique, and in the nature of their payload. In order to efficiently fight modern
malware that is aimed at the weak spot of signature-based solutions, the security
industry is continuously seeking new tools to shorten response times to attacks. The
proactive approaches that have previously attempted to complement signature-based
solutions can roughly be divided into two main categories according to the techniques
employed.

Sandbox: The sandbox approach is based on running executable and other active
email attachments in a virtual, contained environment, while monitoring them for pre-
defined illegal or suspicious behavior (e.g., modifying registry entries or changing
system settings). Email identified as suspicious is treated accordingly (sustained or
quarantined). A few challenges cloud the sandbox approach: first, the inherent lack of
capacity to detect delayed viruses, as well as "silent" malware such as worms
containing spyware or adware payloads (designed to leave no traces of malicious
activity), and of course phishing. Second, having to actually run the attachments of
each email that enters the organization or ISP is costly and CPU-consuming
(gateways usually avoid this technology).

Heuristic Analysis: Heuristic-based virus detection is based on scanning email

messages and attachments for suspicious code, focusing on common characteristics
(e.g., attachment name that hides its extension, code-line inside the attachment that
modifies registry entries, etc.). Using this technique, some of the new viruses or
mutations of old ones are identified based on a resemblance to previous attacks'
characteristics, without the need for signature updates. The major drawback of
heuristic scanning is multiple false positive notifications, as innocent files are
mistakenly identified as viruses if the heuristic engine is too sensitively tuned. On the
other hand, low sensitivity may result in missing new viruses. In addition, malware
authors often test their malicious code against heuristic scanners prior to launch, and
modify it accordingly to avoid detection.

Network-Based Proactive Detection

The abovementioned proactive detection approaches are increasingly being
integrated into antivirus offerings, alongside signature-based solutions. This "layered
security" approach, as defined by IDC, provides organizations with a greater degree
of accuracy in detecting known and unknown threats (see Worldwide Antivirus 2004-
2008 Forecast and 2003 Vendor Shares, IDC #31737). Nonetheless, proactive virus
detection solutions tested by AV-test in 2004 had 39% new-virus detection
levels or lower. Most heuristic-based solutions tested had less than 30% detection
levels.

©2005 IDC # 7
In light of this, rapidly propagating attacks are still an unsolved problem. As firms try
to address this challenge, an alternative approach of inspecting real-time email traffic
to identify malware outbreaks by their distribution pattern has emerged. This network-
based proactive approach is based on analyzing the attributes of the outbreak itself
(rather than the virus or malware that has already arrived). In addition to improved
accuracy and response times, which are virtually unmatched by any other antivirus
approach, another benefit of the network-based approach is its being agnostic to
specific content attributes. Hence, at least theoretically, any outbreak can be detected
regardless of its content – a significant advantage in times when malware is
becoming increasingly sophisticated, dynamic, and elusive.

The major hurdle of applying the network-based approach is that in order to provide
adequate coverage of threats, huge amounts of data must be collected from multiple
locations all across the Internet, and analyzed in real-time. Otherwise, the ability to
track new malware outbreaks as they occur would be significantly reduced. Given this
requirement, the network-based approach is mainly applied by providers of managed
email security services such as MessageLabs and FrontBridge that have access to
large volumes of email traffic.

Commtouch Zero-Hour Virus Protection

Commtouch is an OEM-focused messaging security vendor, specializing in real-time

protection against email threats such as spam, phishing, and viruses. The company's
Zero-Hour Virus Protection is an emerging network-based proactive malware
detection solution.

FIGURE 2

Zero-Hour Preemptive Protection

Zero-Hour™ Effective
Zero-Hour™ detection:

Virus Protection AV Signature

0.5-2 minutes

Outbreak First 90% of top AV

Peak signature Released
signatures

20-30 hours

Source: Commtouch, 2005

8 # ©2005 IDC
Based on the analysis of the characteristics of modern malware outbreaks,
Commtouch's patented Recurrent Pattern Detection (RPD) technology serves as the
foundation for the company's email protection solutions. The first solution developed
with this technology was an anti-spam solution that enables the detection of spam
outbreaks as they occur, using sophisticated algorithms that analyze Internet traffic in
real time. The solution is licensed today by providers of messaging security software,
security appliances, messaging solutions and managed security services, and is used
for the protection of about 35 million mailboxes.

The second solution developed using the RPD platform is the Zero-Hour Virus
Protection, a real-time malware detection and blocking solution that is designed to
identify new outbreaks as they occur. The Zero-Hour solution analyzes email (SMTP)
traffic in real-time, using massive amounts of data collected at different key points
over the Internet to achieve a representative sample of worldwide traffic. In a fully
automated process, data is then analyzed for recurrent patterns of malware
outbreaks, to identify new outbreaks as soon as they are distributed (usually long
before their first instances reach the protected organization).

FIGURE 3

Commtouch Zero-Hour Virus Protection

Source: Commtouch, 2005

The Zero-Hour architecture (see Figure 3 above) consists of the Real-Time Detection
Center, which serves as a central repository for storing recurrent patterns along with
classifications that represent the level and type of threat. At the customer's side the
Zero-Hour Engine, which is used for filtering incoming mail, samples "suspicious"
messages that are not recognized as known viruses and proactively queries the
Detection Center. According to the classification received, the incoming message is
deleted, quarantined, forwarded, or so on.

The Zero-Hour solution can be integrated into hardware or software gateways,

desktop-based products, managed services, or network appliances.

©2005 IDC # 9
Aimed at detecting mass outbreak indicators, Zero-Hour is differentiated from other
proactive virus detection technologies by several advantages. First and foremost is
the immediate and accurate detection of new outbreaks. Second, as Zero-Hour is not
focused on identifying specific content attributes, it can capture any type of attack that
carries the characteristics of a massive outbreak, regardless of its payload. This
applies even for blended and other emerging threats that sometimes fall between the
cracks, as in the previously mentioned “silent attacks” (e.g., phishing and spyware).

Product Offering
Commtouch is positioning Zero-Hour as a complement to existing antivirus solutions,
as it provides the necessary early virus protection layer. By blocking, delaying, or
quarantining suspicious messages long before the availability of the signatures, it
allows antivirus providers to perform the in-depth analysis required for developing
new virus signatures, while keeping customers protected in the meanwhile.

Commtouch's go-to-market strategy is to offer Zero-Hour technology in an OEM

model. The company's prime target audience is prominent providers of antivirus
"engines" looking for a complementary technology to their signature-based one, as
well as messaging security vendors and integrators using Zero-Hour for powerful
differentiation (including security appliance vendors, secure content management
software vendors, managed security service providers, secure email application
vendors, and others).

CASE STUDIES

BlueCat Networks

Founded in 2001, Toronto-based BlueCat Networks (www.bluecatnetworks.com) is a

leading provider of network security appliances. The company's product line consists
of the Adonis family of DNS and DHCP Appliances, Meridius Security Gateway, and
Proteus Enterprise IP Address Management Appliance.

The Meridius appliance protects organizations against spam and virus threats. On the
spam side, it applies various protection techniques, including blacklisting, whitelisting,
heuristic analysis/Bayesian filtering, and other options. In light of the growing
sophistication of spam, which is becoming increasingly harder to detect, BlueCat last
year decided to enrich its product offerings with additional pre-emptive spam
detection capabilities. After several tests, it signed an agreement to license
Commtouch's Spam Detection Engine, which is based on RPD technology.
Incorporated into the Meridius appliance, it now offers a first line of defense against
new spam for BlueCat customers.

Recently, BlueCat extended its partnership with Commtouch by signing an agreement

to license Zero-Hour Virus Protection and use it in the Meridius appliance. According
to the company, what made it realize the need for proactive virus protection was "the
space between the beginning of the outbreak and the time that antivirus vendors get
the definition right". In response to this gap, and based on its previous successful
experience with RPD, Zero-Hour was a natural choice for BlueCat.

10 # ©2005 IDC
Michael Hyatt, BlueCat President and CEO, finds a similarity between spam and
viruses, which have both reached a point where new approaches need to be applied
in order to fight them efficiently. "What was once acceptable – for both viruses and
spam – is now not. There was a time when if you stopped 90% of spam that was okay
but now the volumes are so high that 90% could cripple you. Regarding viruses, most
antivirus companies were coming out with updates in 6-12 hours. But looking forward
that might not be acceptable anymore. It is just a cat and mouse game."

Zero-Hour will be implemented as a complementary solution in Meridius, which

already includes an antivirus option provided by F-Secure. BlueCat hopes to obtain
significant advantages from this combination, as Zero-Hour would be able to provide
F-Secure with early alerts on malware outbreaks, allowing it to respond quickly with
signature updates. At the same time, customers will be protected, since the
Commtouch solution quarantines infected or possibly infected messages until further
analysis is available.

BlueCat also emphasizes the ease-of-use and management of Zero-Hour and the
fact that it requires no tweaking of settings. As such, it fits well into Meridius, which is
designed to operate with full transparency for end users and with minimal
administration.

VirusBuster

Founded in 1997, Hungary-based VirusBuster (www.virusbuster.hu) is a developer

and provider of antivirus, anti-spam, and other security solutions for enterprises,
SMBs, ISPs, and home users. The company's product line includes desktop, file
server and mail server solutions, as well as an antivirus management system for
Windows networks. The antivirus products are based on VirusBuster's platform-
independent scan engine, which includes such features as heuristic analysis,
emulation technologies, spyware and adware detection and removal capabilities, and
native scanning of compressed files. The scan engine uses a flexible virus database
that is updated on a daily basis.

According to IDC research, VirusBuster is one of the leading antivirus vendors in the
Central and Eastern European region. The company's products are used by other
antivirus vendors, including Sybari Software, which was recently acquired by
Microsoft.

Last year, VirusBuster signed an agreement to integrate Commtouch's RPD

technology into its email protection solutions, to provide an additional layer of real-
time spam detection. Implemented as Extended Spam Protection, Commtouch's
spam engine complements VirusBuster's existing statistical filter that is accompanied
by different techniques, including heuristics, whitelists, blacklists, and real-time
blackhole lists.

Peter Agocs, VirusBuster’s CTO, notes that right after starting to use RPD
technology, the company recognized the potential of using it not only for spam
detection but for detection of malware groups spreading through email. "The
technology's reactivity has excellent performance, setting a new industry standard for
reaction time, which is such a critical issue nowadays. Commtouch reduces reaction

©2005 IDC # 11
time to minutes. Zero-Hour, as an online technology, allows users to stop new
malware without updating the client side, which cannot be done in most cases by any
other proactive solution".

VirusBuster decided to evaluate Zero-Hour as a complementary solution to its scan

engine. In six months of testing, Zero-Hour reached a permanent detection rate of
more than 92% (see Figure 4), and achieved 97% in the last period of testing due to
several system changes. During this time, Commtouch's technology allowed
VirusBuster to rapidly detect virus outbreaks, while keeping false positive at negligible
levels. During most of the testing period, false positive levels did not exceed 0.006%
(1 in 16,600 messages), achieving an overall average of less than 0.003%. Based on
this performance, the company decided to license Zero-Hour and to implement it in all
of its email protection solutions as a default component.

FIGURE 4

Zero-Hour Detection Rate at Live ISP 6-Month Test

Beagle.BU/BV Beagle.CH Beagle.CK/CL

140.0%

120.0%
Malware Detection Rate

100.0%

80.0%

60.0%

40.0%

20.0% Average 92.73%

0.0%
March March April May July 1 July
1 30 30 31 24

Notes:
Detection rates refer to VirusBuster's product featuring Zero-Hour, as measured from March 1st
to June 29th in a real ISP environment.
Detection rates over 100% are caused when Zero-Hour detects malware that the virus scan
engine database fails to detect.
Source: VirusBuster, 2005

12 # ©2005 IDC
CHALLENGES AND OPPORTUNITIES
Commtouch's Zero-Hour Virus Protection addresses a growing market need for
protection against rapidly propagating malware outbreaks, which are becoming a
major threat to organizations. Unlike other proactive antivirus solutions, the
company's approach is focused on the most intrinsic characteristic of modern
malware – achieving mass distribution in a short period of time. This makes Zero-
Hour suitable for closing the early-hours window of vulnerability.

The market opportunity for proactive virus detection solutions such as Zero-Hour
could be a significant one, but there are some challenges involved. For example, as
Zero-Hour is a complementary product rather than a comprehensive antivirus
solution, the decision to license the technology to antivirus and secure messaging
vendors makes sense. But there is a limited target audience for OEM agreements,
and success is therefore dependent on partnering with numerous key players.

Going forward, Commtouch should be looking to expand Zero-Hour to cover a larger

scope of threats. As the messaging security space is experiencing consolidation and
convergence of solutions, the next steps could be covering channels such as Instant
Messaging and mobile (wireless) messaging, which appear to be among the next
major malware targets.

In the longer term, the "consolidation" of threats that use multiple attack vectors to
spread could spur the convergence of security solutions, mainly at the gateway level.
This situation could create a market opportunity for Commtouch. Although the
company's roots are in the messaging security space, with the right partnerships,
RPD technology could be adjusted to cover HTTP, FTP, and other network channels,
as well as wireless networks. Covering multiple channels with a single underpinning
technology could be a significant advantage in the future market for security solutions.

CONCLUSION
Malware authors today are aiming their efforts at a major window of vulnerability in
traditional defense systems – the reliance on signature-based antivirus solutions. As
the time-consuming process of developing specific vaccinations against specific
threats exposes organizations to mass infections by rapidly propagating malware
outbreaks, proactive technologies are increasingly required.

Emerging technologies such as Commtouch's Zero-Hour Virus Protection could have

an important role in mitigating those risks. Combined with traditional signature-based
antivirus solutions, which will continue to be the main method for fighting known
threats, proactive technologies should have an increased role in protecting against
unknown threats.

©2005 IDC # 13
Copyright Notice

External Publication of IDC Information and Data — Any IDC information that is to be
used in advertising, press releases, or promotional materials requires prior written
approval from the appropriate IDC Vice President or Country Manager. A draft of the
proposed document should accompany any such request. IDC reserves the right to
deny approval of external usage for any reason.

Copyright 2005 IDC. Reproduction without written permission is completely forbidden.

14 # ©2005 IDC