Is there a critical mass for cloud solutions?

Discussion in 'other anti-virus software' started by Iangh, Feb 4, 2010.

Thread Status:
Not open for further replies.
  1. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    611
    Location:
    Melbourne, Australia
    Am I right in thinking that there is a critical mass of users for a cloud-based approach to be effective?

    The more users you have the higher the probability one of your users will catch the cold and stop it being passed on to their compatriots?

    I'm running Immunet that has 62k users and protects against 7m threats.

    Can smaller companies buy "threats" from others as 62k users doesn't seem a lot.

    If not, there seems to be an inherent advantage for larger, established companies which would seriously affect innovation.

    Explanations welcome.

    Ian
     
  2. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    I am under the same understanding. Im not really sure how a cloud AV works, but I picture it somewhat like what you have explained.
     
  3. Fuzzydice45

    Fuzzydice45 Registered Member

    Joined:
    May 13, 2009
    Posts:
    108
    Location:
    Australia
    A cloud-based product doesn't necessarily mean it relies on it's users actions to determine if a file is dangerous.

    The "Cloud" part just means instead of scanning the file against a list of signatures, it sends the hash sum of the file (like an ID card) to the vendor (let's say Panda), who then scans it with their own signatures, and sends the results back to you.

    This saves having to update the AV, the vendor just has to update the signatures on their servers and reduces the drag on your PC as it doesn't have to scan the file itself.

    If it's a community-based product (whether cloud or not) - like the WOT addon - that shows you what it's users have done with the file/website and leaves it up to you to decide if you want to run the file or go to the website, then yes, a bigger user base would generally be better.

    But if it's not community-based and it's just a cloud-based AV (such as Panda) then it doesn't really matter how many users it has, because it gets it's signatures from other sources.

    So to sum it all up, "Cloud" products use a different method of scanning than normal AVs, but it's method of detection remains the same.

    If I'm way off or just plain wrong, feel free to correct me in the most brutal way you can think of.
    :D

    Fuzzy
     
  4. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    So with certain clouds a known hacker could come up with a way to alter the hash of a virus just a little bit and the cloud no longer detects the virus. Seems like a sure fire way to get infected with me. Especially when the capability of viruses are increasing allowing them to multiple and such.
     
  5. Jav

    Jav Guest

  6. Fuzzydice45

    Fuzzydice45 Registered Member

    Joined:
    May 13, 2009
    Posts:
    108
    Location:
    Australia
    That's a good point.
    As I understand them, cloud AVs are essentially just a huge server-side list of blacklisted hash sums (files).
    If you changed just a tiny part of the infected file, or even just added some random data on the end of it, the hash sum would be completely different and it would get through.
    Unless the cloud AV vendors have some tricks up their sleeve to protect against this...
     
  7. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263

    Maybe the Heuristic part of the Av can help here? or no? Prevx have, Immunet is adding... anyone knows?
     
  8. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    If a virus manages to get past the cloud based checksums and creator has created the virus to automatically change sizes every so often from a command server remotely it will never get detected. The checksums will be changing all the time and since its already through the cloud heuristics are out the window. At that point you could be giving away confidential information or be part of the largest bot net around.
     
  9. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    There are two aspects of “the cloud” typically discussed in the context of anti-malware products: (1) placing signatures in-the-cloud, rather than -- or in addition to -- storing them locally on the PC; and (2) using community-based (“herd”) intelligence to enhance protection.

    For the first aspect, clearly the number of the users of a cloud-based anti-malware product is not relevant (except perhaps from a performance perspective). For the second aspect, however, I would argue that the quantity of users in the community is quite important. As the size the community grows, the benefit of the infection of any one user with malware is instantly multiplied across all other users of the anti-malware product who are then protected against the same threat. For this reason, the “big players” in the realm of anti-malware products have an inherent advantage in this respect.
     
Loading...
Thread Status:
Not open for further replies.