Monday, October 24, 2011

What is a cloud antivirus program?

 What is a cloud antivirus? The "cloud" has been a popular term lately with Antivirus and Security vendors but what does the term stand for? Lets take a look at what the term stands for and bust some of the myths.

 Using wikipedia to define the cloud we get the following definition: Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet). - Source Wikipedia

 Now lets translate this into how its used in the computer security world. The shared resource is the real-time malware analysis service and the information delivered is the malware detection definition. Now this is a very basic and slightly vague way to describe it but I will be diving in deeper later on in this article.

 Now the first thing to remember is that not all AV clouds are equal, not every cloud is designed and works the same way. The first Cloud AV we will take a look at it Panda Cloud Antivirus. The Panda Security cloud is called the Collective Intelligence database. Panda Security describes the CI service here as the next generation of Anti-Malware services. The CI system automatically analyzes the files it receives and classifies them as either goodware or badware. This system is the core backbone of their Cloud Antivirus product.

 The next cloud product we are going to take a look at is Prevx (also known as Webroot SecureAnywhere). Prevx does more behavior analysis on files as they are executed and check them with the Webroot/Prevx cloud server (info here). The on-demand scanners does a much smaller analysis then what is done in real time.

 McAfee has the Global Threat Intell service to help detect new threats. They do a rather good job of outlining how it works in their KnowledgeBase. I have no personal experience of testing this product but I have seen only reports of it blocking new malware so it seems to be working.

 The final type I am going to share about is the telemetry cloud. About every vendor at the least collects telemetry data on all of its machines. An example of telemetry data would be a program detects a file as possibly bad but not enough to detect it as malware so it marks it as suspicious and on it's next update it would send the file to the vendors server. The vendor would then research it and if it was bad it would be added in one of the next threat database updates. This could be considered as one of the first generation clouds.

 Now these are just a small amount of all the cloud products out there. Every vendor continues to keep adding and improving to their cloud network and I have not had time to take a look at every one of them. Some more I can think of off the top of my mind are Kingsoft Cloud, Kaspersky Security Network, Norton Sonar, PC Tools ThreatFire Community Detection, and Rising Security Network the list goes on and on.

 So now lets end some Cloud Antivirus myths:

 Every time a new file is detected the whole file must be sent to the cloud:

 This is incorrect most vendors use an inverse file sig and sends that data to the cloud and only sends the full file to the cloud if it was 100% needed.

 If a Antivirus is a cloud product I can run other security software with it:

  This is also incorrect if a product can be ran with another product has nothing to do with it being cloud supported. If a AV is a cloud AV its still recommended to only use one AV product.  


No comments:

Post a Comment