Why is my cloud better than your cloud?

Also, don't forget that EVERYTHING is first analyzed by Quorum which really speeds up the process. All that's left then is for Auto-Protect to either allow or disallow depending on determination. I wrote more firmly about this here: https://www.wilderssecurity.com/showthread.php?t=247229

 

I'll jump in for this one (pbust, feel free to share Panda's viewpoint as well )

The only benefit for having signatures locally is to function offline. If the AV company has developed sufficient technology which is capable of applying generic signatures within the cloud (something only Panda and Prevx are able to do at the moment as far as I know), there is no technological benefit in holding the signatures locally.

Benefits of holding them in the cloud include:
- Always up to date
- Faster processing/less overhead (generic signatures require far more overhead than a simplistic signature)
- Centralized view means the signature can be dynamic and take data into account from multiple sources rather than just looking at the local user's computer
- Lower bandwidth usage (the client only needs to know about what the client has seen)

Further optimizations come into play as well when the cloud implementation includes a quick check first before bothering to deal with generating more complex signatures or performing more detailed analysis.

If the AV company can build an intelligent product and a scalable architecture which keeps the cost per user down low enough, there really isn't a reason not to be in the cloud

 

I wasn't trying to argue against any product not functioning as a whole in respects to the different technologies it integrates... we all do, whether its local or remote.

My point is only about the different technologies offered "from the cloud", regardless of which are locally. As PrevxHelp correctly points out the more technology can be migrated to the cloud the less dependence we'll have on locally installed technologies consuming resources and not being as up-to-date as possible.

What we're witnessing is just the massive migration of security technologies from locally installed to the cloud. Some vendors are more advanced than others and some have different approaches in the use of the cloud. This doesn't mean one is better than the other, it just means some are more advanced in this move than others. We started this move in 2006 and Prevx started way back as well. Some others started last year and some are starting this year. I'm sure eventually many vendors will also migrate their generic sigs and heuristics determination to the cloud (in addition and in synch with smaller local sigs and micro-heuristics for improved determination and offline operation). It's just a matter of time.

 

Raven211, perhaps this is a ‘silly’ question, but I noticed that Symantec’s description of Quorum is limited to the case of downloaded files from the Internet. I assume that Quorum is also employed if the user is copying files from an external flash drive or from a CD disc onto her or his PC, or is saving an attachment from an email. Am I correct?

 

Not to mention that the malware writers will have a hard time to test against cloud detection without revealing their samples. But then, it should not be too hard to make a sample "unique" again after the previous sample was undetected if full file hashes like md5 and sha are used.

 

That strikes me as a non-trivial and significant benefit. It is not uncommon to install or run software from a CD disc or flash drive, for example, when offline -- and a security solution should, in my opinion, provide protection against malware under these circumstances, too.

P.S.: PrevxHelp and Pbust, thank you for your insightful comments.

 

And a conventional AV is also unable to download new signatures when the internet is down

While it is true that offline protection is useful, in a world of broadband, installing software when offline is rare (and the chance of actually receiving malicious software via a CD when offline is even more rare). Autorun malware is handled easily via local policies and logic/configuration.

Depending on how the individual cloud product works, it will most likely reverify the files immediately with the central database once the internet is turned back on so the actual time exposed to the threat is low, and definitely even lower than that of a conventional AV which would have to then download the signatures, apply them, and rescan the system.

 

This is true, but personally I would prefer (a) the case in which the incremental protection provided by signatures is contributing to malware prevention when offline than (b) the case in which this functionality is totally absent.

When running or installing a malicious file while offline, it seems reasonable to speculate the threat is comparatively "old" and thus its detection is likely to be assisted through the use of local signatures already resident on the PC.

 

This is also another benefit of using cloud... you can store a local cache copy of the cloud signatures locally, a "moving target" if you will, which consists of the prevalent malware to be protected against during offline operation. In this model the local copy of the cloud in the form of "moving target signatures" there are signatures being taken out as malware fades out or dies and new ones added in as new malware is prevalent.

When we last looked at this, 52% of the new malware we were receiving every day has a lifetime of less than 24 hours (downloaders from inactive URLs, unreacheable C&Cs, drop-hosts, etc.).... why keep all those signatures locally using valuable memory? (and let's not talk about malware which is over 2 years old!)

 

There is no such thing as a silly or dumb question or whatever - we're all just looking for answers to gain more knowledge. (Maybe I should write poetry? )

If I got this correctly myself, everything, like I said before, is checked against the Quorum-data first which makes the process as fast and effective as possible. Whether it's on disc of any sort, or a download - whatever - it's checked there first for the reasons I just mentioned. That's simply the most effective source of the new Norton product-line.

 

That's why it doesn't. You said it yourself - it's two years old. Then it's already in the database - ONLINE. It's been released in the last 24 hours? Who knows, maybe enough data has already been gathered. It's not? The user is alerted about its status and is always recommended to block it till more data is gathered and the software can determine the appropriate action by itself.

 

I wasn't talking about Symantec specifically, but now that you mention it... are you saying that Symantec has taken out signatures for older malware? Do you have more info about this?

 

I'm sure they know this more than I do sadly, even if I try my best to answer and discuss things. Sorry if bringing something up unnecessarily.

I'm writing a message right now at their forums, asking them if they could come over here to give insight information and respond, so we'll see how that goes - hope it succeeds.

What I do know is that, refering to what I said, even if they DID have signatures of some older malware lying around in their local database, this would still not be used when something is scanned in real-time, simply because it'll use the data provided by Quorum, and that's the most effective and also fastest way. The only downside I can see with a local database in this case is the initial download of it. Otherwise it means that the user is protected against most new - and old malware at the same time - even if offline.

All the time that it's connection with the internet, it'll use the connection to Quorom to make an informed decision, just like yours or Prevx does. The only time it'll not is when data is not found there, so it'll take advantage of the technologies found in the other components of the suite - be it NAV or NIS as I'm talking about the AM-front - whether it's local behavioral analyzis done by SONAR, or generic/heuristic detections by Auto-Protect (alternatively local signatures ofc.).

The conclusion when it comes to how Symantec have thought - from MY point of view - is NOT that it still uses local technologies, cause it does this for a good reason; to try to make an informed decision no matter the case to protect the user and make his or hers operation as convenient as possible at all costs. A way that it does this is by taking advantage of its own Quorum-technology in all cases that it can - when it can't, it'll take a step further, checking with the other components it's to still try saving the user from hassle.

 

Raven211, the fact that reputation ratings are always used by NIS10 first before signatures in assessing potential malware suggests that reputation ratings are more powerful in detecting and preventing malware than signatures. As a consequence, it follows that a security product which incorporates reputation ratings in its malware detection decision engine will be more effective than a product which lacks this component (all other things being equal).

So, do we know: (1) to what extent are reputation ratings more or less powerful in detecting and preventing malware than signatures; and (2) whether Symantec is the only company to implement and deploy reputation ratings for security?

 

There is text in a few places that needs to be updated during the beta. Under Settings->Web Settings you will see "Download Intelligence".

"Notifications" should read "Download Insight Notifications" and "Alerting" should read "Download Insight Alerting".

Sorry for the confusion.

 

Thanks dnadir. Yes I finally found it. It's also located on the main GUI at the bottom right. How could I have miss that?

 

There is certainly a bit of confusion about what "in the cloud" actually means. The Quorum technology is in the cloud, but that's where the similarity ends.

Quorum isn't about static signatures hosted in the cloud to improve performance or save disk space. Quorum is completely new - it provides a dynamic real-time database of really useful reputation information - but it is not a replacement for other technologies. It is a means to an end. Quorum is used by other components like Download Insight and SONAR to gain more confidence when we flag something as malware.

Also, unlike signatures, Quorum reputation information can (and is likely to) change as we get more information about an application/file.

Hope this helps.

Dan

 

Thought I would paste something which was written at the Symantec forums where I asked if they could come here, which they've indeed have too like I can see. Credit goes to Jesse Gough - author of the message, employee at Symantec and engineer of Quorum.


The post reads as follows:

 

Hi,

What is a cloud thingy?

Thanks in advance.

 

Thanks!

 

well how different is this from what outpost pro does....?

 

If I understand correctly, anti-malware signatures (whether in-the-cloud or on-the-client) are based on malware analysis (e.g., a heuristic examination of the behavior of the sample) -- and, as consequence, will always be limited in their usefulness by the breadth and depth of that scrutiny. Reputation ratings, in contrast, have no such asymptotic constraint.

Symantec appears to have changed the rules of the game with Norton Internet Security 2010. It is no longer a discussion only about the effectiveness of anti-malware signatures (although this technology continues to be important), but now also encompasses the “trustworthiness” of a file (as measured by reputation).

 

The Reputation ratings which Symantec has are useful (we have had them them for ages as well, known as Age/Popularity heuristics) but are by no means an end-all approach.

Not only are they flawed by concept (legitimate companies can release illegitimate code - i.e. Sony's rootkit - so whitelisting by digital certificate clearly doesn't work), they are also flawed in operation if depended on entirely.

Based on the post which raven211 quoted, Symantec is saying they're using SHA256 to identify programs. This means that they have only a one-to-one view of a program and cannot extrapolate onto other variations/versions of the program, therefore, if they were to depend on it, they would produce a warning for every new component of every new program released on probably 1,000+ PCs until it is trusted enough to pass through.

Granted, this may work well for users who never install new software but it would sure annoy 1,000 users for every new component of every program released. We see well over 250,000 new executable programs every day so that would be 250,000,000 warnings generated if we were to have implemented it like this. I'm guessing neither Symantec nor Prevx nor any other vendor would have many users after doing that

Reputation analysis is tool, not to be confused with the absolute best thing since sliced bread. If reputation analysis was able to determine the bad from the good, it would need to use rules.... and using rules to identify the intent of a program sure sounds like what heuristics/signatures are

 

While Symantec is somewhat guarded about the “secret sauce” of its reputation ratings, the data used by the scoring algorithm includes more than age and popularity (see here).

Symantec’s approach to reputation ratings are not based solely upon prevalence (i.e., the frequency of occurrence of the file), and thus are not subject to this criticism.

Symantec does not rely exclusively upon reputation ratings -- but, uses them in conjunction with its other anti-malware technologies.

The unit of analysis for reputation is the individual; thus, the need to aggregate to “variations” doesn’t seem to be necessary (or desirable).

Symantec will likely see even more, with about 25 million members in its community. Time will tell if the “unknown software warnings” issued by Symantec prove to be an inconvenience to users. While in total the number of warnings may be large, for any one single user, I suspect that the experience of such a warning will be infrequent and thus not a concern.

To expand on this theme…

And…