cloud antiviruses

How long will it be before they do? I'm sure it'll happen sometime.

 

Even when not using cloud technology Avira's detection rate is over 99% just expect what will be the detection rate when they include cloud based technology

 

True Cloud Computing

Hitman Pro is the only true cloud computing AV as it is the only one physically scanning in the cloud with 7 vendors right on the moment a suspicious file is detected. And it is the only one making this process clearly visible to the end user.

Most large vendors pretend to use cloud computing but they are only distributing user specific signature updates by detecting which signatures the user already has and send only those signatures that are missing and call it cloud computing . If this is what you call cloud computing then socket communication is also cloud computing.

Some vendors use the cloud just to prioritize their analysis facility. The more people have a certain file, the higher the file is positioned in the
processing queue. I would not call this cloud computing either.

About privacy: every vendor sends some kind of information to their servers. How do you think they create their signatures?

About detection rates: most test organs perform tests using malware samples from weeks and even months old. But most computers don't get infected by malware from last month, they get infected by malware that is actively going around NOW.

As Hitman Pro is physically receiving malware files we can easily run them through more AVs and see the detection rate of the top AV vendors drop from >98% to less than 60%. It is kinda misleading to say product X has a detection rate of 99% while in reality it won't protect you from most active threats. In our opinion the 99% detection rate should not have so much weight in the overall end-score of a product.

The same applies to spam filters. Tests are performed on spam messages from weeks or months old. But if you take a spam filter you'll see that in reality the detection rates are really different when you actually use them...

 

When that will happen, I will rethink my security setup to exclude them

 

Re: True Cloud Computing

I agree with your post and use Prevx. But the numbers posted on the Prevx site cause me some concern. Maybe I am mistaken in my interpretation, but it appears that the number of infections missed by antivirus programs but found by Prevx is a sum total. For instance, if malware123.exe were found on 300 different computers using McAfee the represented number found would be 300 not one.

In this scenario I suppose it would be difficult to determine if the McAfee users were actually using an updated version of the product. I know more than a few people who let their subscriptions lapse.

Another thing is that I believe Symantec, McAfee and Trend Micro probably represent 75% of the antivirus market. That may not be an exact number but I believe it is close. Anyway, using the latest stats posted on Prevx.com, Symantec, McAfee and Trend Micro accounted for 9687 missed samples which were found by Prevx. We can refer to the Symantec, McAfee, Trend Micro group as "group A". The remaining programs missed a total of 39,403 infections found by Prevx. We can refer to this group as "group B". It would seem like the total number of infections found in group B would be less than the total number in group A. I think that can be based on a number of detection tests in the past that would probably say group B consists of Avira, Eset and Kaspersky which are usually on par in detection with Symantec, McAfee and Trend Micro. Even if we assume that the "other" antivirus programs in group B are far inferior products they would probably consist of less than 2-3% of total market share and those products would have accounted for multiple infections on a single computer. Multiple infections would be totaled according to the Prevx stats- meaning if a computer had some oddball antivirus with 25 infections this number would be represented as 25 infections missed that Prevx found, not one antivirus product on one computer.

Symantec has around a 50% market share but account for only 12% of missed infections. McAfee and Trend Micro probably account for 25% market share but only about 7% of missed infections.

Anyone else see the stats as a little screwy or am I way off base on this?

 

The last few posts are starting to clear up some confusion I've had about "cloud AV"
The following is from
http://prevx.com/
under the tab labeled "What Prevx Does"

My 1st question about this is:
Prior to the "cloud" aspect kicking in: If one computer were to detect an infection, which is using Prevx, why wouldn't every computer using Prevx detect that infection?

Even with hitman pro: Is it really hitman pro detecting the virus, or is it really "AV xxx" detecting the malware and then that malware (the signature of that malware?) then gets added "to the cloud" so the next person (who isn't running "AV xxx") detects it?

2nd question:
Assume "AV yyy" is one of those cloud based AV's which doesn't use multiple AV engines (i.e. hitman pro and immunet are excluded).
Won't "AV yyy" still have to analyse the malware and generate a signature, then add it to the cloud before anyone begins to detect it? If so, then how much better is the protection here vs. updating your local signature database constantly? I'm not saying constant updates to your AV signature database are practical, just an example.

 

Re: True Cloud Computing

The problem here is that the vast majority of users out there are using AV/firewall combinations on their computers. It's forum users like those that frequent Wilders for example that may experiment with other methods.

When I first started using the internet, the general advice was to make sure you have an AV and a firewall, and remember to keep the AV up to date. In some quarters, that is still the main security tip given to "newbies".

Another class of users out there are those that have an AV, but they're not up to date.

Then there are those who use no AV at all.

Another point to consider is despite trying different AVs or other technologies or none at all, the user doesn't get caught out with malware simply because of what they do online. Many choose where to go and what to do online in the same way they try to avoid dark alleys late at night because of associated risks. It's those group of people who rarely, if ever, get malware. At most they may get an alert from a scanner without actually being infected.

Yes, we need to be security concious, but not to the point where we need to be looking over our shoulder to such a high degree as implied UNLESS you are doing things that heighten that risk, with or without an AV. If you are, then by all means tighten things up. But ask yourselves: do I really need to?

As an example, I got Sandboxie a while ago as it was highly recommended in these very forums, but I find I'm using it less and less. My general surfing, in my opinion, doesn't warrant every browsing session to be sandboxed. I may from a security point of view test out rogue applications in a sandboxed environment, and I see the benefit in that which means I can help researchers in this regard.

 

I guess the stats could also mean that an overwhelming number of people that use one of the av's in group A do not use a supplemental product, or at least not Prevx. And that the market for Prevx at this time would be concentrated in group B.

 

Re: True Cloud Computing

I think I understand what you are saying. Your first concern is something like users may be using the 90 day trial of whatever AV came with their computer and never bothered to purchase it or another AV, so they are using outdated signatures, which would be the real problem.

Second, I believe you are alluding to what Prevx mentions here:

So let's take Symantec and Avira. Prevx caught malware on 6,000 users of Symantec and 5,000 users of Avira. Based on numbers, Symantec looks worse. However if Prevx scanned 20,000 machines using Symantec and only 10,000 machines using Avira, Symantec would look better as Prevx would have found malware on 30% of Symantec users versus 50% of Avira users.

And then I guess you mention that the chart lists "infections" as opposed to "computers infected" and that can throw off how one AV compares to another.

 

Your right they don't!

 

Technology Cloud not solution for future


Copy and Paste AV Companies hilarious marketing technology

 

It would but the point is I suppose that the first detection would be on a heuristics/behavioural basis and all subsequent detections would be by a signature removing the need for detailed analysis.

 

Funny Info-week suggest otherwise that Cloud would be the solution for future. How we going to defend against all these new type of threats! AV can only do what they have in the database when they get updated. Cloud works with all the users who send in the information working as one common goal how to stop the threat and how to clean it off your system.

How about Symantec Endpoint for a solution factor?

 

For me it is a matter of marketing.

I know it's fashionable to be "cloud" but I think it does not add further detention.

 

It should be the same level of detection; the cloud may remove the need for having full databases on the local side although I'm aware some products are currently using both whilst others rely on signatures only "in the cloud".

 

Re: True Cloud Computing

Keep in mind that that chart also takes FP's as detections also it goes off what product is installed, not if that product is. 1. Up to date 2. Even if its even active Also, one point I noticed why trialing prevx is if you have it run along side another Standard AV and you don't have that AV move it to quarantine Prevx will pick it up as a missed sample by that vendor.


Charts as with ANY AV company is to show there company in a good light. It don't show how the data collected is or even how flawed there method of collecting that data is.

Now this is NOT a knock against prevx this is just to point out not to use Manufactures websites to back up your claim in-less you seriously understand how that data is collected.