PRAGUE--Avast isn't content with merely 130 million active Windows users. In addition to expanding its security offerings for the PC, the company plans to move at least some of its threat definitions to the cloud, while introducing a personal VPN and debuting an Android app with some features only for rooted phones.

Avast Chief Technical Officer Ondrej Vlcek spoke to CNET during a recent tour of the company's virus lab about what the company had planned. Vlcek, who has been with Avast for 16 years and wrote the company's first Windows product, said that Avast looks to leverage its community data to develop better software for businesses as well as attract even more home consumers. "In the next few months, we'll be coming out with some extra products not included in the suite, such as online backup, password management, and identity protection," Vlcek said.

Given Android's skyrocketing marketshare, it's not surprising that Avast is working on an Android security app, too. What's interesting is that Avast is aiming specifically for users who have rooted their phones. "Rooted phones are more prone to certain kinds of attacks," said Vlcek, "because they are more able to run a wider range of programs. We consider people with rooted phones higher-risk users, and so they need more security. Fifteen [percent] to 20 percent of Android phones are rooted, including the Nexus which comes rooted."

He wouldn't reveal what the root-specific features Avast is considering are, but he did mention the app's basics. These included the company's antivirus engine, anti-theft and phone tracking, a contacts filter, and parental locks. A backup feature has yet to be settled on, he said, "because there's a big difference between a contacts list backup and backing up media files and apps." The company is also considering tying its WebRep engine for search result ratings and verification to the Android app. Vlcek wouldn't commit to a specific month for release, either, only saying that it would arrive sometime in the fourth quarter and be completely free.

The most unusual feature that Avast will soon offer, however, is a personal VPN for both desktops and mobile. "It's a bit risky for us because we don't know how heavily people will be using it," Vlcek said. "But because of the insecurity of open, public Wi-Fi, where somebody can copy your session cookie and log on, we had to make people safer." The VPN solution will create a secure tunnel through which people can send data without fear of being tracked by an ISP or government, or having their computer or phone hacked.

Related links
• Avast's virus lab relies on robust community

"The Digital Millennium Act mandates ISPs to keep logs of everything for some time, and some people are not comfortable with that. We encrypt everything that goes through the ISP and then it's unencrypted after it passes through," he said. The VPN will support multiple secure protocols, including PPPT, OpenVPN, SSL, and L2TP. A new companion VPN client for desktops and smartphones will help users configure the VPN, Vlcek said, and there won't be any bandwidth limitations.

He also noted, with a smile, that it will also allow country IP address spoofing to one of 17 countries in North America, Europe, or Asia. Vlcek wasn't concerned about how useful it would be to people living in countries with restrictive Internet policies. "The Chinese officials won't try to block it because they know that business people need it for travel," he said.

He wouldn't make the timeline for release of the VPN public, but Vlcek did say that it would be a paid product "with yearly and monthly plans, in the ballpark of $50 year." Avast Chief Executive Officer Vince Steckler said the company plans to start with the long-duration subscriptions but wants to move into micropayments so people can use the VPN on a per-session basis.

Vlcek went on to talk about what's coming in the 2012 Avast suite, due next February. Avast will be moving at least some of its threat definitions to the cloud, following many of its competitors such as Symantec, Trend Micro, Microsoft, and Panda. Vlcek said that Avast's cloud-based detection will be better because of the number of active Avast users, which is more than 130 million people. "With our user base, we have the potential to have a much stronger cloud than anybody else."

Additionally, Avast is looking at running your browser in its auto-sandbox by default. "Since just after the release of version 5, we haven't seen anything bypass the sandbox," Vlcek said.

Speaking of older versions of Avast, Vlcek also revealed some interesting numbers about which versions of the program people are using. It turns out, Internet Explorer and Firefox aren't the only programs struggling with version creep. About 60 percent of the active user base is on version 6, the current version, he said, but there are still about 15 percent of active users on version 4. "These are mainly people running a cracked, pirated license. We actually converted about 1 million users to version 6 free by circulating a 'license key' and passively upgrading them," Vlcek said.

Avast has plans to compete with more feature-heavy paid security suites, too. Users will soon be able to get online backup and password management solutions from Avast. The company has licensed Mozy to provide an Avast-branded online backup option, said Vlcek, with "no real changes" to Mozy's license or fees.

Roboform will provide Avast's password management tool, for about $10 a year. "We didn't use LastPass because they weren't very flexible about third parties," said Vlcek. "The goal is to provide a low-cost password manager that we think our free users will enjoy."

Vlcek said both the password manager and the online backup solutions will be available around before the end of the summer.

Seemingly random names are embossed on the interior glass walls of the Avast offices and conference rooms in its Prague headquarters, and the June morning light shines illuminates them from behind. Written in black, these names and the orange-colored names of cities below them are in fact the forum nicknames of the people who use Avast and the cities they originate from. It appears there are Avast users on every continent on Earth, and that, said the company's CEO Vincent Steckler, is by design.

"Two-thirds of new users come from personal recommendations," he said. "Trying to get 35 million users from direct marketing is nearly impossible, so we have to rely on the community." Originally from the United States but living in Prague since he took over as Avast's chief officer in July 2009, Steckler is a numbers man. He touts the raw numbers of Avast's achievements with a pride that most parents reserve for a straight-A report card from their kids.

He gleefully told CNET that Avast can boast 29 countries with at least 1 million active users each. He pointed to Brazil having just passed France as the country with the most Avast active users, both with 12 percent. The United States is in third with 8 percent, but that Americans lead with the most Avast paid-upgrade installs. Five percent of its actives are in Russia, which Steckler said puts the country fourth on Avast's list and gives the company more active users there than the Moscow-based Kaspersky.

"We have about 1 million users per employee," Steckler noted. Avast's Brand Manager Miroslav Jirku quipped. "This is the first marketing job in my career that I don't have a marketing budget."

A former senior vice president of sales for Symantec, the makers of Norton, Steckler said that Avast has about 20 million more active users than its nearest competitor, AVG, because "there is no difference in malware protection between free and paid."

How Avast builds protection
More so than any third-party efficacy test, Avast relies on its reputation with users to fuel its growth. On CNET's Download.com, the free version of Avast is the only program with a 4.5-star rating from readers with more than 10,000 votes. Jindrich Kubec, Avast's director of antivirus research, said that to keep individuals safe Avast must deal with the same problem that all antivirus vendors struggle with. "The one single biggest challenge is the number of samples every day. This is the biggest challenge for everyone in the industry."

Also like its competitors, Avast's detection starts with gathering threat samples. Kubec said that the company sees about 50,000 to 60,000 new virus samples per day, while Steckler added that about 15,000 of those are actually unique. The difference is that the former number is the raw raw number of virus threats detected, while the later is the number of polymorphic virus families. As the name implies, these virus families behave or look similar with only slight variations, so they are considered of the same group.

Kubec also pointed out that the "bad guys" are extremely responsive. "They have very fast reactions. It takes about three hours after a threat has been stopped for the virus maker to put out a new one," which he clarified to mean a new variant.

Avast has built about 5 million "honeypots" around the Web for picking up on threats early, and it also relies heavily on its CommunityIQ database, said Kubec. "We see hundreds of gigabytes per week in our own feeds, so we have lots of metadata and heuristics over the metadata. We have the automated way of detecting something, and we have the manual power to decide quickly," he explained in English, which is not his first language.

The honeypot attracts threats and stops them before they reach people. For example, Kubec, said, "we know that some domains are really bad, [they're] just for malware. So we have some honeypots that know the binary from that domain, and then it gets killed." He cited the CZ.CC, CO.BE, and VB.CC domains, as well as old Soviet domains .SU as notoriously sources of malware.

Most if not all major consumer security vendors manage a database like Avast's CommunityIQ, which gets its anonymously contributed security data from its users. Within the program itself, CommunityIQ uses automated processes to gather its data, mostly from the program's behavior shield and anti-rootkit modules. "Rootkits are considered the most dangerous kinds of malware and the most difficult to remove," said Ondrej Vlcek, Avast's chief technical officer. "So we struck a deal with the maker of the popular GMER to integrate it into Avast. We've developed it further," to both integrate it and make it more powerful at rootkit detection, he said.

The data that CommunityIQ gathers includes "safe" programs as well as malicious ones, Kubec said, and provides Avast with a broad base of data in exchange for securing your computer. While the "Little Brother" implications may worry some, it's clearly a trade people are willing to make. "About 60 [percent] to 80 percent [of active users] opt in to the community reporting, said Steckler, who added that CommunityIQ is an opt-out choice when you install Avast. That means that during the install, users must actively choose to remove themselves from CommunityIQ, although doing so does not decrease the level of protection that Avast provides.

Pre-processing helps Kubec's team manage the virus samples that come in. By the time that one of his analysts starts working on a sample, he said, they already know its filename and metadata. Not unlike competitor AVG, Avast's virus lab runs the sample in a virtual machine through the company's proprietary tools to get a graphical layout and entropy map of the file. From there, "we search for something rare in files," said Michal Trs, a senior virus analyst at Avast.

One of 30 analysts the company employs, all based from their Prague office, he explained his comment further by saying that he and his colleagues look for code in a file that shouldn't be there, like an executable command hidden in an image file. "It's not perfect, but it does look for the file signature for metamorphic viruses and polymorphic viruses. We know that our tool is a program that the virus is not prepared for."

After generating the entropy map and determining that a file is indeed a threat, the analyst generates a checksum for it and pushes the update to Avast's users. A checksum is a fixed number generated by a tool that essentially "fingerprints" the file. If the data inside the file changes, whether by a virus or by authorized means, the checksum changes. Similar to how the police might compare fingerprints, the checksum has proven to be an effective tool for verifying a file's contents.

Related links
• Avast to go mobile, get VPN
• How AVG keeps your computer safe

The last step, Vlcek added, is making sure the new rule is risk-free. "Before we push a rule out we test it so it doesn't hurt the user. We have seen few complaints," he commented.

The changing threatscape
Defining what constitutes a threat to a person's computer security may appear on its face to be an easy task. Perhaps it once was. Today, however, Kubec said we face a much more challenging task in figuring out what is a threat that a traditional antivirus company ought to handle. "The border of where we should interfere is very difficult, some users want more security. Some want less. It's harder to define what is a virus," he said.

The bad guys, he continued, can simply buy their way into being bad guys. "They can buy server hosting, exploit kits, hire interface designers, hire accountants...I believe that the number of people writing the malware is very low, but the number of clients buying it is very high."

Worse than that, he added, are the way that social engineering is driving creativity in newer threats. "There was a very strange kind of fraud in Slovakia, where [the people committing the fraud] were getting people to register a user name on what looked like a normal site. So you tick [the box] that you accept, and then in the TOS, in the small print it said you owe them $90 per year," he said. "They were not charging you for the software, they're charging you for the link to the software."

But, Kubec says, the burden of protection should not rely on the Internet service provider. "ISPs should not alter your results, they should just deliver the data. That's what they're paid for." And search engines, like Google, he said are "good" but "too slow."

"When you see a Web-based infection, it's a chain. So should Google block the original site that has a bad iFrame on a good site? I don't know," he said, shaking his head. Kubec laid a lot of the blame on unscrupulous ad agencies that he says don't care where the ads come from, even though they are being used to deliver malware and exploit people's computers.

Vlcek explained how that works. "The JavaScript doesn't usually contain the malicious payload. Instead, it scans the computer for vulnerabilities. It looks at Java, PDFs, Flash, and it only takes one to infect the computer."

Kubec also said that, at least in Europe, people have been getting malware just from listening to music. "You can run a stand-alone music application, which displays an ad. If it hits a Java exploit, you get infected." He also criticized the blogging tool WordPress for its shared theme plug-ins, because they're often written with backdoors installed, creating yet another vector by which hackers can access your Web site.

Whatever the nature of the threat, the bottom line for Steckler is reduced to Avast's reputation. "It's not just the community, it's the influencers with the community," he said. "If they see that you're annoying their mother or their friends, they're going to stop recommending you. If we've got the choice between near-term revenue or long-term user happiness, we'll go with long-term.

Originally posted at News - Security