Why is my cloud better than your cloud?

“Why is my cloud better than your cloud?” It’s a question sure to garner more attention as security vendors increasingly incorporate a “cloud component” into their anti-malware products. Symantec attempts to answer this question here in reference to Norton Internet Security 2010 – but, does a poor job, in my opinion.

So, what does make one cloud better than another? Could it be:

1. “Breadth” -- the number of worldwide users contributing in real-time to the database of trusted files and malware threats
2. “Depth” -- the comprehensiveness of information captured about each trusted file and malware threat (e.g., the URL from which the file was obtained)
3. “Scoring” -- the algorithm by which the information from “#1” and “#2” are converted into a reputation rating

Why might Kaspersky’s or Panda’s or Prevx’s cloud (for example) be better/worse than Symantec’s? Or, is “the cloud” per se already becoming a commodity, providing little competitive differentiation among anti-malware products?

 

I dont know about Kas or Panda but with Norton also having sigs in place, it would seem the best of both worlds compared to Prevx and just the cloud. Off line it would still provide protection and detection.

 

The one that's most secure, least exploitable, and ofcourse, not easily taken down by DDoS. I would seriously laugh if the Norton/Prevx/etc servers were DDoS'd and removed protection from users xD.

 

Yeah, my guess is that they secure their individual company with that in mind pretty well.

My personal opinion is that the software delivering the best security for the specific user using it - with or without cloud-technology - is the one on top. What I partly mean by that is that no software is on top for everyone. Prevx for example is praised from almost any direction, while it's not my cup of tea at all. Cloud-tech. is on the other hand a great technology to bolster the protection provided, but also keep better track of good programs, which is shown in a couple of software having their own developed technology from the company behind it - mine would be Symantec.

Isn't the cloud of Kaspersky based on the Bit9 database?

 

Elapsed, that’s an interesting perspective: it’s the reliability of the anti-malware vendor’s cloud rather than the content within the vendor’s cloud that will become an important differentiating factor. For anti-malware vendors that have already had experience in this realm, what are the "percent uptime" statistics? Are there known cases when, for example, Prevx or another such vendor has been unavailable and has thus placed their users at risk?

At least with the Symantec approach, if -- in the rare event that the “cloud” is inaccessible -- then the user is still protected by both the heuristic detection engine and the antivirus signatures resident on the client (as noted by Trjam).

 

Cloud computing seems to be the new buzzword with its own different slant on security. What Symantec is doing is adding this to their armoury with the theory than any one of their technologies should pick up on the malware - by signature, by heuristic, by cloud etc. It's a case of who gets there first.

With KL, users can choose to opt in to using the Kaspersky Security Network, but I don't think it wholly uses the Bit9 database. That's used whether or not KSN is activated in the Application Control component of KIS.

 

By the same token, one hopes the servers that distribute the signature updates are always accessible. They must have an infrastructure in place to protect this and presumably the Quorum servers that will deliver the cloud technology.

 

Correct, and in another case, where YOU'RE connected, but there's no information in the cloud, and not so much presence of bad behavior that the file can be deemed dangerous by SONAR straight away - you'll be told that the file you're about to run is completely new and that it's recommended to stop it from doing so. You also have the choices to delete it straight away, or actually allow it to run.

 

To my eye the Panda Cloud implementation seems best, since:
*They have signature, heuristics and HIPS as first line of defence
*When a suspicious item is seen, most services (McAfee Artemis & Kaspersky Network) just check servers to see if its a known malware. But if its a new never before seen sample all of them will miss. But Panda in case of miss, sends the sample over to its Cognitive Intelligence servers. Where its analyzed in automated sandbox and definitions are distributed asap.

 

Well, KSN is the same, an example (from Urgent Detection System, part of KSN, file was deemed suspicious by HIPS emulator):

... the next update carried out sigs for the file. In 2010 KSN has been extended, so files are submitted and analyzed more effectively and quickly.

 

I suppose this is when running the full software and not just Panda Cloud-AntiVirus - correct?

 

The first question to ask is what "type" of cloud we're talking about, as some of the marketing descriptions of products out there make it too confusing on purpose (everybody's getting on the "cloud"-wagon nowadays).

1- Web reputation. Cloud-based/community detection of malicious URLs/websites. From what I can gather this is mostly focus of Symantec, McAfee, Trend.

2- Email reputation. Cloud-based detection (Cloudmark, etc.) of spam and malicious attachments. Also Trend, Symantec, Panda and others.

3- Malicious file detection. Cloud-based detection of malicious binary files. Symantec (community), McAfee Artemis & F-Secure Blackligh (md5) and Prevx & Panda (community + md5 + generic sigs + heuristics).

4- White-listing from the cloud. Symantec, Panda, Prevx.

Of course the implementations vary... there's as many types of different implementations as products out there. For ex. F-Secure checks against the cloud only files detected by its local heuristics (at least last time I looked) and Artemis only after non-detection of local sigs + some other criteria. Symantec relies more heavily on URL/prevalence/digitalcert of the file rather than its malicious content. Real-time cloud-queries on binary files intercepted by the resident driver is only done by Prevx and Panda (as far as I know).

Not sure about the others mentioned, if they are truly "cloud" (queries over the Internet per object) or simply delivering sigs to the local client every few hours. This distinction is important and not very clear at first sight.

DISCLAIMER: I'm from Panda & I've probably missed a few vendors (not intentionally ) but just trying to illustrate the different "types of clouds" with some examples.

 

From the looks of it, KIS does it as well. Simply opening the folder containing the samples would trigger the detection. Unfortunately I don't have a screenshot of the warning on explorer.exe accessing them, but here's an alternative, in FF cache (meaning not executed):

Another way of trying would be to disable everything except File-AV (real-time component). It detects the sample:

 

I have NIS2010 beta installed. I watched the video about Download Insight. I looked in settings, and I don't have anything there that lists Download Insight. I went to Help, it says to go to Network, Settings and enable or disable it there. Nothing is listed there, or anywhere else. I'm about to uninstall/reinstall to see if that helps.

 

how much of this cloud thingy real or is it just a marketing gimmick?

 

It's real, but to a certain extent. The new generation 'cloud' will allow vendors to get an insight into many more programs then before, however, if there automatic analysis from the server turns out to be 'false' then the user may open the file thinking that they are safe without taking certain precautions. So in other words, I don't think the cloud will be the 100% breakthrough amazing technology people think it will be.

As for the cloud itself, it is very real

 

I've not taken a look into that yet, but according to this:

Kaspersky Security Network/ Urgent Detection System: The Kaspersky Security Network is a collaborative approach to early identification of new threats. For Kaspersky users who agree to take part, Kaspersky Internet Security 2010 will gather information about safe and identified unsafe software to build extensive black and white lists. If Kaspersky Internet Security 2010 identifies software acting suspiciously, the relevant details are sent to Kaspersky Lab for specialist investigation and entry into Kaspersky Lab’s Urgent Detection System for real-time updated protection for all users. It’s an online Internet cloud-based database of new threats to prevent epidemics from breaking out.

From the description it seems as if telemetry is sent of locally detected objects (by sig + heuristic) to prioritize creation of signature updates. It doesn't say anything about detection from the "security network" but I haven't tested myself.

 

I have not tried the Cloud AV. My view is derived from the use of Panda 2010 beta.

 

This is exactly the reason why KIS 2010 is much faster

 

Thanks for the answer, vijayind.

 

Just for discussion... I guess the "SHA256 hash" sent through an encrypted connection to Quroum by Norton could be compared to "MD5" somehow, difference being different types of hashes? Generic sigs and heuristics are handled primarily by "Auto-Protect" in the software, while SONAR, being improved by Qurorum implementation and probably overall handles behavior analyzis and cooperates with Qurorum and its technology/data. With that said, I would consider Symantec to have it all implemented as well.

 

Well it's different to have *local* generic sigs and heuristics than having them *remotely* from the cloud. According to Symantec's write-up they don't describe any such implementation:

I understand this as a URL/file reputation combined with file white-listing approach.

 

Not quite correct - the system that the software is running on communicates with Quorum to see what the *remote* information has to say, and at the same time compares it to what information is gathered on the local system. That's how it works, and that's why this is analyzis speeds up the software heavily - it's gathered and handled *remotely*.

Please look through this topic: http://community.norton.com/norton/board/message?board.id=nis2010_pb&thread.id=310 - and more specifically what Jesse Gough has to say, one of the engineers behind Quorum. That along with the other employees also providing information. I'm also active there under the nick "RavenMacDaddy" to figure out how effective the software - either being NAV or NIS - actually protects and works.


On the other note I'll quote the message which I wrote just previously: "Generic sigs and heuristics are handled primarily by "Auto-Protect" in the software, while SONAR, being improved by Qurorum implementation and probably overall handles behavior analyzis and cooperates with Qurorum and its technology/data. With that said, I would consider Symantec to have it all implemented as well." The bottom-line is: the software works as a whole. Everything is NOT about Quorum - this is the same case with your software, don't forget that.


Regards.

 

Pbust, can you kindly explain the advantages/disadvantages of having generic anti-malware signatures on the client (locally) versus in the cloud (remotely)?

* * * * * * * * * * * * * * *​

From my understanding of Norton Internet Security 2010, it appears that Symantec has placed specific reputation ratings corresponding to individual files in the cloud but retained generic anti-malware signatures on the client. Of course, these two components interact in real time through the Auto-Protect function and SONAR for malware detection and prevention.