Is there a critical mass for cloud solutions?

Am I right in thinking that there is a critical mass of users for a cloud-based approach to be effective?

The more users you have the higher the probability one of your users will catch the cold and stop it being passed on to their compatriots?

I'm running Immunet that has 62k users and protects against 7m threats.

Can smaller companies buy "threats" from others as 62k users doesn't seem a lot.

If not, there seems to be an inherent advantage for larger, established companies which would seriously affect innovation.

Explanations welcome.

Ian

 

I am under the same understanding. Im not really sure how a cloud AV works, but I picture it somewhat like what you have explained.

 

A cloud-based product doesn't necessarily mean it relies on it's users actions to determine if a file is dangerous.

The "Cloud" part just means instead of scanning the file against a list of signatures, it sends the hash sum of the file (like an ID card) to the vendor (let's say Panda), who then scans it with their own signatures, and sends the results back to you.

This saves having to update the AV, the vendor just has to update the signatures on their servers and reduces the drag on your PC as it doesn't have to scan the file itself.

If it's a community-based product (whether cloud or not) - like the WOT addon - that shows you what it's users have done with the file/website and leaves it up to you to decide if you want to run the file or go to the website, then yes, a bigger user base would generally be better.

But if it's not community-based and it's just a cloud-based AV (such as Panda) then it doesn't really matter how many users it has, because it gets it's signatures from other sources.

So to sum it all up, "Cloud" products use a different method of scanning than normal AVs, but it's method of detection remains the same.

If I'm way off or just plain wrong, feel free to correct me in the most brutal way you can think of.


Fuzzy

 

So with certain clouds a known hacker could come up with a way to alter the hash of a virus just a little bit and the cloud no longer detects the virus. Seems like a sure fire way to get infected with me. Especially when the capability of viruses are increasing allowing them to multiple and such.

 

maybe something like this aswell: http://www.threatexpert.com/introduction.aspx

 

That's a good point.
As I understand them, cloud AVs are essentially just a huge server-side list of blacklisted hash sums (files).
If you changed just a tiny part of the infected file, or even just added some random data on the end of it, the hash sum would be completely different and it would get through.
Unless the cloud AV vendors have some tricks up their sleeve to protect against this...

 

Maybe the Heuristic part of the Av can help here? or no? Prevx have, Immunet is adding... anyone knows?

 

If a virus manages to get past the cloud based checksums and creator has created the virus to automatically change sizes every so often from a command server remotely it will never get detected. The checksums will be changing all the time and since its already through the cloud heuristics are out the window. At that point you could be giving away confidential information or be part of the largest bot net around.

 

There are two aspects of “the cloud” typically discussed in the context of anti-malware products: (1) placing signatures in-the-cloud, rather than -- or in addition to -- storing them locally on the PC; and (2) using community-based (“herd”) intelligence to enhance protection.

For the first aspect, clearly the number of the users of a cloud-based anti-malware product is not relevant (except perhaps from a performance perspective). For the second aspect, however, I would argue that the quantity of users in the community is quite important. As the size the community grows, the benefit of the infection of any one user with malware is instantly multiplied across all other users of the anti-malware product who are then protected against the same threat. For this reason, the “big players” in the realm of anti-malware products have an inherent advantage in this respect.