Cloud AntiVirus Forecast: Foggy, with a Chance of Irrelevance

Discussion in 'other anti-malware software' started by Pleonasm, May 20, 2009.

Thread Status:
Not open for further replies.
  1. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Symantec has recently authored a very thoughtful and timely commentary on “cloud antivirus." It is worth taking a few minutes to read and ponder these perspectives.

    Source: Cloud AntiVirus Forecast: Foggy, with a Chance of Irrelevance
     
  2. Retadpuss

    Retadpuss Suspended Member

    Joined:
    Apr 4, 2009
    Posts:
    226
    This article irritates me somehow. Until Norton either develop / deploy some cutting edge technology or make their AM as good as the top players, I dont think they are in any position to tell the rest of the security community the way forward.
     
  3. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Hmmm...
    Seems like they are following the footsteps of Panda Cloud AV.


    OT:
    Anyways, I wonder how this cloud tech really works?
    Does the signatures that you get from the internet on-the-fly retain in the AV's signature after you go offline??
    Or is protection only available if you are online?
     
  4. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Wait... is this about their Norton Insight again? I thought they would prepare 2010 with their cloud-tech - is that what it's actually saying?
     
  5. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    From my own perspective, Symantec is making two main points:

    1. As more and more new malware instances are unique, the use of antivirus signatures -- whether in the cloud or on the client -- will become increasingly ineffective.

    2. As a consequence, the techniques that will continue to be effective against malware are (a) intrusion prevention and (b) “watching network communications on a system, similar to what a firewall does.” Such techniques run on the client -- not in the cloud.​

    The argument seems to be that an “an integrated suite with layered protection” including “behavior-based malware detection, network traffic analysis, and strong intrusion prevention” is the best defense against “unknown malware, an essential feature given today’s threat landscape.” Today, some of the cloud-only protection products (e.g., Prevx, Panda Cloud Antivirus) lack all of the capabilities of an integrated suite. The implication of the argument is that an integrated suite (e.g., Norton Internet Security or Kaspersky Internet Security) would provide a higher level of protection than piecemeal solutions, whether those solutions are in the cloud (e.g., Prevx, Panda Cloud Antivirus) or on the client (e.g., Norton AntiVirus or Kaspersky Anti-Virus).

    If Symantec is correct, then we should expect to see other companies (e.g., Prevx) launching integrated security suites in order to remain competitive.
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Yep.;)
     
  7. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Very interesting article, Pleonasm! Thanks for calling it to our attention.
     
  8. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    This article shows me a number of things :

    -they think that behaviour based analysis is vitally important (ala Prevx, threatfire etc)
    - they haven't panned scanning per se, but scanning everything. Kaspersky tried to do away with scanning everything (a second time at least) by marking scanned files as safe and only scanning them again if they changed (I don't know if they still do)
    - As a adjunct to the above point, still seem to suggest that they will scan 'in depth' the unknown files...and just how is this achieved? Most likely with the cloud based signatures that they are bagging. From that perspective, I think their article is deceptive.

    I don't think they've offered any new insights.
     
  9. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Vikorr, I didn’t interpret the article in the same way. Symantec noted that “I agree cloud-based security makes sense for consumers” and “Ultimately, cloud-based malware detection is a technique that provides an additional layer of protection.” I think that Symantec’s key point is that a cloud-based signature component—while valuable—won’t be enough to protect users. It needs to be supplemented with heuristic protection capabilities typically found in full-featured security suites.

    With all of the "hype" about cloud-based antivirus solutions circulating today, I think their comments are valuable to consider.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I agree.

    Lets also not forget that this in-the-cloud services aren't new. The term makes it sound like is somewhat better than anything, etc. I'm not saying they aren't great. They have their use. But, these services, are not new. There are in-the-cloud e-mail accounts, edition software alike GIMP or Photoshop, etc.

    This is not news. The difference, as I see it, is that, data, won't be transfered to the system. That's what it means.

    Just because an anti-malware tool works as in-the-cloud (an on-line service) doesn't mean its better than anything else. Its just a catchy name, I think.

    Part of a layered security? Why not. Alone? No miracles.
     
  11. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Pleonasm,

    Thanks for this useful article :thumb:

    I agree with it.

    Regards
     
  12. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    I believe Prevx is using cloud-based behaviour technology, wouldn't this be more effective than cloud-based AV?
     
  13. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    No one knows for sure, since Prevx has been unsupportive of independent empirical tests of its product against others (see this thread) and unwilling to publically share its “missed threats” data with individuals for examination and analysis (see this thread).

    On a general note, I would suspect (but don’t know) that Prevx would be no more (and likely less) effective than a high-quality security suite (e.g., Norton Internet Security, Kaspersky Internet Security), since such tools have integrated functionality that is presently lacking in Prevx (e.g., two-way firewall, browser protection, intrusion prevention, secure networking, etc.). I believe this is why Prevx seems to advocate using its product as a complement to other security tools rather than as a primary, standalone protection mechanism.
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Again, our product cannot be tested in the same on-demand manner as some other products. To view an accurate review which demonstrates the power and accuracy of our technology (which is not just a blacklist but a highly dynamic centralized behavior analysis system), you can read a review at http://www.pcmag.com/article2/0,2817,2346861,00.asp

    The above mentioned technologies protect against some additional threats (i.e. hack attempts) but don't actually protect against today's malware. Security suites are just as easily bypassed as their antimalware components by malware as the suites don't contain additional antimalware features which aren't included in the separate antimalware components. If they did, that would be an illogical way to try and keep customers - if a threat gets past an antimalware program, the customer is not going to renew that program so logically every company is going to try and make the best protection available for the threats it is designed for.
     
  15. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hi Pleo,

    Mate, I agree there's a lot of hype about such. To me, the only better thing about signatures being cloud based is they theya re always up to date (and you don't have to keep downloading them). Other than that, signatures suffer from the same problems signatures have always suffered from - the need for a signature in order to detect something.

    As for your disagreement with my perspective of the article, are you sure you aren't reading it a certain way because of your knowledge (as compared to someone with less knowledge of such things)?
     
  16. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Vikorr, you’re no doubt correct. We all wear our own “lenses” when we read and assess material, and I am certainly no exception.
     
  17. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    My 2 cents

    When in the cload is combined with heuristics/behavior based analysis AND an intrusion protection which ensures Internet Connection, I see its use as a user friendly remote anti-dote/repair solution.

    Advanced heuristics and characteristics data mining (e.g. HitmanPro 3.5) and behavior blocking (ThreatFire) allready is well developed. But balanced intrusion protection still has a way to go: how strong should the intrusion protection be to guarantee ownership/control of the PC AND ensure Internet Connection, how much noise is this going to generate?

    Regards Kees
     
  19. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I would guess, when Symantec goes final with this, it will work kinda like TF in its update operation; download a local database to be able to make decisions by itself (I guess Symantec will do this in any case :D), keep a database on the Internet (in the cloud) which also makes the software able to take action by itself when the user is connected to the Internet. ;)
     
Thread Status:
Not open for further replies.