Cloud AntiVirus Forecast: Foggy, with a Chance of Irrelevance

Symantec has recently authored a very thoughtful and timely commentary on “cloud antivirus." It is worth taking a few minutes to read and ponder these perspectives.

Source: Cloud AntiVirus Forecast: Foggy, with a Chance of Irrelevance

 

This article irritates me somehow. Until Norton either develop / deploy some cutting edge technology or make their AM as good as the top players, I dont think they are in any position to tell the rest of the security community the way forward.

 

Hmmm...
Seems like they are following the footsteps of Panda Cloud AV.


OT:
Anyways, I wonder how this cloud tech really works?
Does the signatures that you get from the internet on-the-fly retain in the AV's signature after you go offline??
Or is protection only available if you are online?

 

Wait... is this about their Norton Insight again? I thought they would prepare 2010 with their cloud-tech - is that what it's actually saying?

 

From my own perspective, Symantec is making two main points:

1. As more and more new malware instances are unique, the use of antivirus signatures -- whether in the cloud or on the client -- will become increasingly ineffective.

2. As a consequence, the techniques that will continue to be effective against malware are (a) intrusion prevention and (b) “watching network communications on a system, similar to what a firewall does.” Such techniques run on the client -- not in the cloud.​

The argument seems to be that an “an integrated suite with layered protection” including “behavior-based malware detection, network traffic analysis, and strong intrusion prevention” is the best defense against “unknown malware, an essential feature given today’s threat landscape.” Today, some of the cloud-only protection products (e.g., Prevx, Panda Cloud Antivirus) lack all of the capabilities of an integrated suite. The implication of the argument is that an integrated suite (e.g., Norton Internet Security or Kaspersky Internet Security) would provide a higher level of protection than piecemeal solutions, whether those solutions are in the cloud (e.g., Prevx, Panda Cloud Antivirus) or on the client (e.g., Norton AntiVirus or Kaspersky Anti-Virus).

If Symantec is correct, then we should expect to see other companies (e.g., Prevx) launching integrated security suites in order to remain competitive.

 

Yep.

 

Very interesting article, Pleonasm! Thanks for calling it to our attention.

 

This article shows me a number of things :

-they think that behaviour based analysis is vitally important (ala Prevx, threatfire etc)
- they haven't panned scanning per se, but scanning everything. Kaspersky tried to do away with scanning everything (a second time at least) by marking scanned files as safe and only scanning them again if they changed (I don't know if they still do)
- As a adjunct to the above point, still seem to suggest that they will scan 'in depth' the unknown files...and just how is this achieved? Most likely with the cloud based signatures that they are bagging. From that perspective, I think their article is deceptive.

I don't think they've offered any new insights.

 

Vikorr, I didn’t interpret the article in the same way. Symantec noted that “I agree cloud-based security makes sense for consumers” and “Ultimately, cloud-based malware detection is a technique that provides an additional layer of protection.” I think that Symantec’s key point is that a cloud-based signature component—while valuable—won’t be enough to protect users. It needs to be supplemented with heuristic protection capabilities typically found in full-featured security suites.

With all of the "hype" about cloud-based antivirus solutions circulating today, I think their comments are valuable to consider.

 

I agree.

Lets also not forget that this in-the-cloud services aren't new. The term makes it sound like is somewhat better than anything, etc. I'm not saying they aren't great. They have their use. But, these services, are not new. There are in-the-cloud e-mail accounts, edition software alike GIMP or Photoshop, etc.

This is not news. The difference, as I see it, is that, data, won't be transfered to the system. That's what it means.

Just because an anti-malware tool works as in-the-cloud (an on-line service) doesn't mean its better than anything else. Its just a catchy name, I think.

Part of a layered security? Why not. Alone? No miracles.

 

Pleonasm,

Thanks for this useful article

I agree with it.

Regards

 

I believe Prevx is using cloud-based behaviour technology, wouldn't this be more effective than cloud-based AV?

 

No one knows for sure, since Prevx has been unsupportive of independent empirical tests of its product against others (see this thread) and unwilling to publically share its “missed threats” data with individuals for examination and analysis (see this thread).

On a general note, I would suspect (but don’t know) that Prevx would be no more (and likely less) effective than a high-quality security suite (e.g., Norton Internet Security, Kaspersky Internet Security), since such tools have integrated functionality that is presently lacking in Prevx (e.g., two-way firewall, browser protection, intrusion prevention, secure networking, etc.). I believe this is why Prevx seems to advocate using its product as a complement to other security tools rather than as a primary, standalone protection mechanism.

 

Again, our product cannot be tested in the same on-demand manner as some other products. To view an accurate review which demonstrates the power and accuracy of our technology (which is not just a blacklist but a highly dynamic centralized behavior analysis system), you can read a review at http://www.pcmag.com/article2/0,2817,2346861,00.asp

The above mentioned technologies protect against some additional threats (i.e. hack attempts) but don't actually protect against today's malware. Security suites are just as easily bypassed as their antimalware components by malware as the suites don't contain additional antimalware features which aren't included in the separate antimalware components. If they did, that would be an illogical way to try and keep customers - if a threat gets past an antimalware program, the customer is not going to renew that program so logically every company is going to try and make the best protection available for the threats it is designed for.

 

Hi Pleo,

Mate, I agree there's a lot of hype about such. To me, the only better thing about signatures being cloud based is they theya re always up to date (and you don't have to keep downloading them). Other than that, signatures suffer from the same problems signatures have always suffered from - the need for a signature in order to detect something.

As for your disagreement with my perspective of the article, are you sure you aren't reading it a certain way because of your knowledge (as compared to someone with less knowledge of such things)?

 

Vikorr, you’re no doubt correct. We all wear our own “lenses” when we read and assess material, and I am certainly no exception.

 

There is a you youtube vid demonstrating how useless this AV is in this thread
you all should watch it.

https://www.wilderssecurity.com/showthread.php?p=1473886#post1473886

 

My 2 cents

When in the cload is combined with heuristics/behavior based analysis AND an intrusion protection which ensures Internet Connection, I see its use as a user friendly remote anti-dote/repair solution.

Advanced heuristics and characteristics data mining (e.g. HitmanPro 3.5) and behavior blocking (ThreatFire) allready is well developed. But balanced intrusion protection still has a way to go: how strong should the intrusion protection be to guarantee ownership/control of the PC AND ensure Internet Connection, how much noise is this going to generate?

Regards Kees

 

I would guess, when Symantec goes final with this, it will work kinda like TF in its update operation; download a local database to be able to make decisions by itself (I guess Symantec will do this in any case ), keep a database on the Internet (in the cloud) which also makes the software able to take action by itself when the user is connected to the Internet.