
A lot of malicious attacks, government-backed attacks, don't use any kind of foreign software. Things like downloaded PowerShell scripts, things that computers can do with the components that they already have without needing to put any virus on the computer. For that reason, you can never keep up with all the mutations and viruses, and you can't keep up with malicious behavior that isn't based on viruses. It had a behavior-based component called SONAR, however, it was still mostly a signature-based software antivirus application. Symantec tried to be a hybrid between the two.

Next-generation is behavior-based detection rather than signature-based detection.

They also take up a lighter load on the computer. And so for that reason, the next-gen antiviruses are much more efficient at detecting viruses. They're honed by artificial intelligence and machine learning from data collected all over the world. They're based on intelligence algorithms. And so it still relied on things like a database of virus signatures that would need to get downloaded and then files would be checked for those signatures. It never really caught on to the new trends and antivirus protection. Symantec was very highly rated at one point in its life.

Norton Antivirus was one of the very first antiviruses to come out in the 1980s. Symantec Endpoint Protection was one of those legacy products that have been around forever. Most organizations are choosing a next-gen antivirus, one that's based on artificial intelligence. It wasn't a very good solution overall, which is why we ended up replacing it. There was no way to lock that node down immediately when you see something out of the ordinary. It immediately tried to find other machines on that network segment with the same vulnerability to infect that particular node. Case in point, we had an issue where we had a machine that was affected. We can use that information to beef up the firewall rules.

For example, if it's trying to call home to a specific IP or domain. It'll also help if they give us more of an explanation of what the malware tries to do once it's on the network. You can usually do that with a policy setting. Then it can't probably get onto another node. It would be really good if they had a proactive feature to isolate the node with the agent on the endpoint when it sees some type of erroneous behavior and knock it off the network. Still, there's no way to actually determine a workflow of how it actually came in, how it was executed, and how it was distributed within the enterprise if indeed it did migrate or propagate through. You're just notified if there is an instance. The platform itself can be improved as there's no way to track how infections get into the organization.
