Bad sides of CloudBased Antivirus software?

To clarify, a community based approach to anti-virus protection isn’t a different way of delivering signatures, but is an entirely different dimension of assessing a file’s trustworthiness. One is not a substitute for the other. As Symantec explains, “This approach is the perfect complement to signatures—it is tailor-made for making decisions about unknown executables whereas signatures excel at telling you about something that is already known (like an existing virus or Trojan)” (see here).

It’s not clear to me why you believe that “in-the-cloud” technologies represent a cost savings for anti-virus vendors. Certainly, in the case of those vendors' products that provide both local signatures and community based insight, the cloud component is an incremental cost.

Consider Symantec’s commentary: “Each day, our back-end servers import many gigabytes of reputation telemetry data from tens of millions of customers and use this data to compute file reputations.... We constructed a huge data center for continually calculating and recalculating our trust ratings. Luckily folks at Symantec know something about data centers” (see here). A data center supporting 50 million members of the Norton Community to deliver reputation ratings can’t be inexpensive, I suspect.

 

Yes, if you note more carefully my posts, i was mentioning "cloud-only AVs" in cutting costs. An AV which next to the traditional way adds cloud, OBVIOUSLY isn't cutting costs...



Here's a nice summary from Norman:

And a simple question to add the above problems. Hashes are compared to the online database, so all "safe" programs that are already in the database are receiving back an "OK" signal and the scan leaves them alone. What happens to "unique" hashes? Documents, password databases, emails, etc? Of course the online database can't have already analysed those files. So how is the cloud in position to reply that they are clean? Logical answer: You have to upload them to the cloud to be scanned. My reply: no, thanks, i 'd rather have a local database to scan them on my PC with the existing signatures of the local database.

Unless i am missing something and the cloud analyzer engine can tell if your unique file is clean without ever "seeing" it?

 

Wouldn't it better to send them creditcard info directly rather than through the cloud system

 

What if the signature is not in the cache and your connection is OFF or the server is unavailable/overloaded ? Wait I know the answer..

Also, another serious problem with any cloud-based solution is if even one piece of malware slips through and happens to disable the internet through a proxy/lmhosts file/DNS redirect etc etc etc etc., then any other malware it pulls down may not be detected even though it might have been using a traditional AV.

 

On a more general note, why should the “cost cutting” issue be a consideration for users, provided that it does not negatively impact protection against malware? Companies are always looking for ways to be more efficient.

I agree. Personally, I would not use an anti-virus product that uploaded files (not just hashes) and scanned them in the cloud.

By way of comparison, my understanding for Norton Internet Security 2010 is that only hashes of executables (not documents, emails, etc.) are represented within the cloud reputation database -- and, only those files that are detected as malicious are actually uploaded at all. Thus, at least in this one case, it’s not a privacy or security issue.

One approach for this scenario is to boot with the anti-virus vendor’s recovery/rescue CD (e.g., the Norton Bootable Recovery Tool disc in the case of Norton Internet Security 2010), which downloads the most recent signatures, performs a scan, and (if required) removes malware.

 

This topic has some serious problems . You are obviously talking about cloud-only based AV product . Writing about or discussing you probably think of Panda Cloud Antivirus . Let us mentions that there other products , too better than PClA. Don't forget McAfee , Norton , Kaspersky , Panda (full products) , etc.

The cloud is just an add-on for the almost perfect level protection security solutions . If Panda's Cloud AV is cloud-checking only (mostly) , full security suits do use : white list + black list (definitions) + heuristics + HIPS + firewall + (...) in addition to the In-the-cloud.

The possibility to have a malware slip through a layered security solutions which detects more than 98% of the malware with just signatures (don't forget that we also have numerous other protections) is almost zero.

 

IMHO -> Up-to-the-second opinion about a file present on your computer.

 

While my own experiences matches your assertion, doesn’t data such as Prevx’s “threats missed by other security vendors” reported on their home webpage suggest that all anti-malware products have limitations meaningfully larger than “almost zero”?

 

I'm sorry but that graph is purely for marketing and should not be used in a argument as evidence.

 

Yep, some products do have some limitations. But these products are not the one I use and definitely their limitations are not as huge as Prevx's website "demonstrates".

 

As members of the Wilders community may recall, I have peviously expressed serious reservations about the Prevx “threats missed by other security vendors” statistics (and don’t want to start yet another dialog on this subject!). Nonetheless, I fully believe that the statistics are presented in good faith.

It’s difficult to assess the magnitude of the “limitations” indicated by the Prevx “threats missed by other security vendors” statistics, since the company doesn’t provide the number of PCs included for each security vendor (e.g., 5,000 missed threats spread over 5,000,000 PCs is equivalent to 99.9% efficacy).

 

Yep just like every other marketing campaign put on by Anti virus vendors.

 

I totally disagree. Saying one thing and actually posting on a website information are 2 different birds. Come on, there are some very smart people here and if Prevx was pulling the wool over the preverbial eye, someone is going to catch them. But they have not. Maybe the information is factual, and no one vendor wants to admit it. HiTech, you bash your old friend Eset in the ground for version 4 so to me if anyone could agree with the findings of Prevx, it would be you.

But oh, excuse me, Norton is also listed. Why would Prevx risk so much to post this type of info on their website if it were not true. Sorry, to me, it would bring them totally down if found to be fake and I dont think they have to supply anyone with their methods of how it is calculated. Bright minds here? Huh, sometimes I wonder.

 

It's not that the graph is wrong. It's there is to big of a margin for error, False postivites, out of date files, Product disabled. All can be included into the graph show of missed samples, You need to look past marketing. Prevx just like all AV's out there have there Plus and minuses you just have to find out what one fits your style.

 

Ok, I can agree with that as you know I respect your thoughts Fajo, but in reality, the only true testing for the truth will still be individual testing by different organizations. I to wonder if some of the detections are not FPs and would be foolish to say otherwise.

 

But I will also trust in the one dude here who has been straight forward about stuff and that is Joe himself. If he tells me it is accurate then I go with it till someone proves him wrong.

 

My impression is that you think that the task of marketing is to “deceive” customers, which is seriously out of date with respect to current business thinking. More and more companies are realizing that customer trust in the brand is a critical asset that can make or break the business (anyone remember Andersen Consulting?), and must be managed like any other asset.

The purpose of marketing is to build and to sustain customer relationships -- not to push product. It’s the core of customer equity, smart companies know this fact, and act accordingly.

 

I in no way disagree some of that graph is true. I'm just stating it's not as big as that graph shows. Again it supports more for marketing then it does for truth, but then again that's my point of view.

 

No..
Company's are not being dishonest but marketing will only show there product in the best light none of its faults. That's my point you need to look at independent views before you look at a company's views, otherwise you will only see one side of the story so to speak.

 

Why does Prevx not list FPs by other security vendors on their site?
They fear that their rivals could do the same.

More serious, every other security vendors from their list could also publish infections not found by Prevx.
Well, i don't know for sure why they don't. Most often because they don't want to concentrate the attention of their customers on minnows.

Cheers

 

In the end every Anti-Virus Company cloud based or not is going to market what they feel apeels to customers about there product best. Again this is why its just better to use your own personal experience or reviews from independent sources.

 

First , I am no longer HiTech_boy . Please , use my new nickname!
Second , it wouldn't be me who would agree. I agree with REAL-WORLD results that show the antivirus programs status .

You must be kidding , right . You can't be so naive.
Of course the information is fake by "fake" I mean it does NOT represent real world) . It simple places the detections PrevX got but this also counts if I temporary disable my antivirus to test PrevX if it will catch a malware.

 

I agree

 

My point isn't that it is bad for a vendor to cut costs. What i try to say, is that this euphoria in articles about Cloud software, is minimizing the negative aspects for the user, maximizing the positive and not mentioning at all the positive for the vendor. I think this explains a LOT of why this unilateral approach to the subject. If i were an AV vendor, i would want to push to cloud only eventually. I would consider the local database+cloud, only a transitional period until the users get used to the idea and then go cloud only, as some products have already done.

In F-Secure for example, you can opt-out from the cloud. But if you opt in, there is really no information about what is being sent. It's the era of "you trust your cloud". Minor privacy issues, not worth mentioning since it's so cool anyway.

Me too. But if you ask me, if the trend for "cloud only" expands and users get accustomed, then we will proceed to scanning all files in the cloud. Google wants to store your data in their servers, go figure if an AV vendor, given the possibility, wouldn't like to scan everything in his server...

Well, good for Norton! The problem is that Norton is just one product, this topic isn't just about Norton, it's about cloud based AV... Norton right now is a "mixed" based AV. And you know how Norton works, great. For F-Secure, i don't see any info of what is sent if i activate the cloud.

For products that are not "mixed" like Norton, how do you resolve the issue of documents, photos and other infectable files? "Trust your cloud" i suppose. Either you upload them to your cloud or your program is excluding them, so you have the risk of infection. So you choose between your privacy and your infection risk. See why i note the fact of being so good for the vendor? I don't see all this advantage for the user and i read in articles is how "cool" and "awesome" it is.

 

Bad sides are mentioned a lot but:

a) performance
Most AV's have a large part of their DataBase in memory, also disk access of the older fingerprints is at 50 MB/sec minimum at most harddisk (modern sata2 platters reach 100 MB/sec, raid-0 setups are allways 100 or more even with old harddisks). Compare this to download speed expressed in mega bits in stead of mega bytes

b) no connection = no (pure cloud) or limited protection


Good side
a) performance
Cloud based AV's drive innovatin in regard to different scans and cached program fingerprints (hashes), so after initial 'learning' of software footprint cloud AV's should be very lean on CPU and disk I/O and need little bandwith for occasional cloud data base check

b) no connection = delayed program check
Cloud AV's will also develop smart checking at program install only (e.g. Immunet) or delay check for system performance (Panda). When these mechanismes are combined with RegRun like capabilities, it will be possible to remove virusses at a later moment in time. Think at next boot when cloud connection is established or when cloud connection fails for three days you will be prompted to remove the programs installed in the last three days.
At the moment this is not offered by Cloud AV, but this will be only a matter of time.

Regards Kees