Buzz word: "cloud anti-virus"
what is it all about?
"The cloud" is without doubt one of the most popular marketing terms used by the IT industry in recent years. Virtual clouds promise easy and mobile access to data and services. This technology is also in use in the anti-virus sector, with fast scans and very low resource consumption being a clear advantage of cloud-based scanners. However, the use of cloud technology is somewhat of a double-edged sword.
What is a cloud?
Cloud-computing is, in simple terms, the distributed delivery of IT infrastructure over a network. This can involve numerous examples. Notably, storage services provided by data centers are currently in vogue, offering users with storage space over the web. You can use this storage on your PC at home just like a conventional local hard drive even though it's really located hundreds or even thousands of miles away. As you, the user, don't know exactly which server your data is located on, we refer to this storage space as a "data cloud".
There are even complete programs and comprehensive services that are offered via the cloud. Just like conventional client/server architecture, spreadsheet software for example is run on a remote computer, known as a server. You are provided with an interface on your own PC via the Internet, which allows you to use the software. This is very convenient as it requires no software to be installed, and computationally intensive operations are also outsourced.
Conventional anti-virus solutions have a problem
Conventional virus scanners are still based on signatures. Yet sooner or later they will be stuck between a rock and a hard place as the number of newly discovered malware variants doubles every 12 to 18 months. Consequently, the number of signatures that have to be loaded is increasing exponentially. Virus scanners detect malware using these signatures, which are essentially digital fingerprints (see our article Signature recognition or behavioral analysis - Which is better?).
As a result, software based security scanners require more and more storage space for their signatures every year. This affects users who have a poor Internet connection in particular, as the signatures must be downloaded either upon installation or during the first online update. Some vendors require several hundred megabytes – a nightmare for users who don't have a broadband Internet connection. Another disadvantage is the RAM consumption, as the signatures need to be resident in memory for quick scans. High memory usage has a negative effect on the performance of older PCs in particular and results in a deduction of points in many comparative tests. However, higher memory usage is usually also an indication of more signatures and therefore a better overall detection rate.
What are the advantages of cloud anti-virus technology?
Cloud security solutions solve almost every problem that conventional, locally installed anti-virus programs have. The user only has to download the pure scanner technology, which is only a few megabytes or even kilobytes for most providers. All signatures are located on a centralized server where they can be updated at any time, without delay and in any quantity.
In a way, cloud scanners work in an opposite way to conventional signature scanners, by creating signatures of the files found on the PC and then submitting them to the server for analysis. If there is a match with malware, it will alert you of an infection as usual. You won't see any indication that this entire process is handled externally. You simply see the result, and that the scan runs significantly faster and consumes fewer resources. Another advantage of cloud scanners is that they also detect deviations from the normal state of a system by combining the data of a vast community of users very quickly. This makes it possible for the system to be viewed as a whole and for new unknown malware variants to be detected.
So what's the catch?
It just sounds too good to be true. Faster, better, uses fewer resources – if this were all true, there would be no more conventional virus scanners. Alas, the devil is in the details with cloud anti-virus software. A typical PC contains an average of 300,000 to 500,000 files. If all of these files were scanned, uploading their signatures to the scan server as they were created on the fly, would take forever.
For this reason, cloud anti-virus software filters the files that are scanned on the basis of various rules and parameters. For instance, there are some file types or paths that are generally considered safe. In addition, many cloud anti-virus solutions incorporate huge whitelists. These are sort of inverse signatures that classify known programs as safe. This greatly reduces the number of files to be scanned, even though it means more data needs to be downloaded to your PC.
It is this incomplete form of scan however, that is the Achilles heel of cloud anti-virus technology. If not all files are thoroughly scanned there is always the opportunity for malware to slip past undetected, whether it be through an as yet unused path or a file type that was previously considered safe.
Another problem is that files that are currently unknown to the scan cloud are, in most cases, submitted in their entirety to the cloud for further analysis. While you may have been happy about the small download, you'll receive an unpleasant surprise to see countless megabytes uploaded to the cloud when performing a scan for the first time. Many people won't even be aware of the fact that their private or important company data may end up on third-party servers.
Hybrid technology as the best solution
We believe that a combination of a cloud service and a conventional anti-virus scanner offers the best of both technologies. This is why many Emsisoft products incorporate cloud features.
Namely, Emsisoft Anti-Malware offers the possibility of participating in the "Emsisoft Anti-Malware Network". If you enable this option, all decisions regarding alerts from the behavior blocker are submitted directly to our server. This enables other users to see if the majority of the community allows or blocks a program and thus helps you to make a decision. Moreover, the results of statistical analysis determines a "trust index" for each program, so that safe programs end up on a whitelist and won't produce any further alerts.
Emsisoft Anti-Malware's scanner also asks if you would like to submit suspicious patterns detected in new files (only program files, no documents). Our analysis team then analyzes the suspicious file thoroughly and creates a new signature if necessary. This helps Emsisoft and therefore all users by minimizing the response times to new malware outbreaks and ensuring the best protection possible.
Our HIPS-based firewall, Emsisoft Online Armor, also uses the Emsisoft Anti-Malware Network. Your decisions on allowing and blocking programs are submitted to the Emsisoft cloud in order to reduce future alerts. This allows false alerts to be avoided efficiently without reducing the level of security.
Incidentally, the data on all files stored in the Emsisoft Anti-Malware Network is visible to everyone and can even be searched. The Emsisoft cloud is thus not closed, but completely transparent and can be accessed through the web interface at any time. There is currently information on more than 12 million known program files (as of November 2012), including the geographical distribution of malware occurrences. Take a look for yourself: IsThisFileSafe.com.
Have a nice (malware-free) day!
Your Emsisoft Team