Anti-virus Moves to the Cloud

By Larry Seltzer  |  Posted 2009-04-29 Print this article Print

OPINION: Vendors such as Panda Security, McAfee and Trend Micro are looking into cloud security approaches. The volume and velocity of malware developments necessitate changes like this, and there are advantages to the cloud approach. It's also a risky move, but it's beginning to look inevitable.

Panda Security has released a beta of its Panda Cloud Antivirus. It's a free download at and there will be a free version of it even after it ships.

The idea of a "cloud" product here is not really a gimmick, even if "cloud" is the buzzword of 2009. There are good reasons to move detection and other parts of the product into the cloud, even putting aside the reasons why the noncloud approach is not working anymore.

Note that McAfee already has put at least some of this functionality into its own cloud and other major companies are working on the cloud security concept.

Instead of keeping all the signatures for malware local, these products keep a local whitelist of files. Very few of the files on the system actually change over time. When a new file appears, especially one that appears from the Internet, that's when an anti-malware product needs to take action. Cloud products then send some hash of the file up into the cloud; if it's new, perhaps they send the file also, but if it's already identified they can send a thumbs-up or thumbs-down back to the client.

New malware and other threats are coming out at such high velocity that it's folly to think you can distribute signatures to a large and worldwide user base fast enough to be effective. The distribution of every signature to every user in the world sucks huge bandwidth and still is too slow to detect well enough. And as the volume and velocity of malware increase, local solutions will fall further behind.

The main advantage of the cloud approach is that the "signatures" need only be in the cloud, not distributed to all users. There are other advantages: The client becomes much smaller and lighter, and indeed Panda is touting its as a "thin client." Plus there's an element of collaboration that's improved through the cloud, in that the vendor can get a sense much more quickly of how fast certain threats are spreading and how quickly they should move new threats from automated to manual analysis.

Panda also has a feature called "retroscan" that kicks in when a new file is determined to be malicious. In the time since it was first sent and the determination, users may have been given a green light from Panda, but the Panda cloud holds on to the fact that the file was detected on those systems. It goes back to those clients and marks the file as bad.

There are definitely potential downsides too. The more you rely on the cloud, the more your Internet connection and the speed of the cloud become an issue in your system performance for what might seem like local operations. There are still a lot of people out there with slow or high-latency connections, and for them this may be too cutting-edge an approach. Of course, the cloud products aren't completely cloudy; there are local signatures in them, basically what the vendor thinks is the real hot list of malware most likely to show up.

I was pretty harsh on McAfee's Artemis cloud project as a concept, but I suppose I should apologize to McAfee. Even if all the claims for performance and efficacy of cloud solutions are exaggerated, the fact is that conventional solutions are still an unsustainable approach. This is a prediction I've heard for years and you might ask when those solutions will actually fall behind malware, and the answer has to be in the rear-view mirror already. Conventional anti-virus is not useless, but it's of diminishing usefulness, at least on its own. More and more you need to supplement it with other approaches like IPS. Cloud services may give the good guys a boost that could help us all.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel