The idea of a “cloud” product here is not really a gimmick, even if “cloud” is the buzzword of 2009. There are good reasons to move detection and other parts of the product into the cloud, even putting aside the reasons why the noncloud approach is not working anymore.
Instead of keeping all the signatures for malware local, these products keep a local whitelist of files. Very few of the files on the system actually change over time. When a new file appears, especially one that appears from the Internet, that’s when an anti-malware product needs to take action. Cloud products then send some hash of the file up into the cloud; if it’s new, perhaps they send the file also, but if it’s already identified they can send a thumbs-up or thumbs-down back to the client.
New malware and other threats are coming out at such high velocity that it’s folly to think you can distribute signatures to a large and worldwide user base fast enough to be effective. The distribution of every signature to every user in the world sucks huge bandwidth and still is too slow to detect well enough. And as the volume and velocity of malware increase, local solutions will fall further behind.
The main advantage of the cloud approach is that the “signatures” need only be in the cloud, not distributed to all users. There are other advantages: The client becomes much smaller and lighter, and indeed Panda is touting its as a “thin client.” Plus there’s an element of collaboration that’s improved through the cloud, in that the vendor can get a sense much more quickly of how fast certain threats are spreading and how quickly they should move new threats from automated to manual analysis.
Panda also has a feature called “retroscan” that kicks in when a new file is determined to be malicious. In the time since it was first sent and the determination, users may have been given a green light from Panda, but the Panda cloud holds on to the fact that the file was detected on those systems. It goes back to those clients and marks the file as bad.
There are definitely potential downsides too. The more you rely on the cloud, the more your Internet connection and the speed of the cloud become an issue in your system performance for what might seem like local operations. There are still a lot of people out there with slow or high-latency connections, and for them this may be too cutting-edge an approach. Of course, the cloud products aren’t completely cloudy; there are local signatures in them, basically what the vendor thinks is the real hot list of malware most likely to show up.
I was pretty harsh on McAfee’s Artemis cloud project as a concept, but I suppose I should apologize to McAfee. Even if all the claims for performance and efficacy of cloud solutions are exaggerated, the fact is that conventional solutions are still an unsustainable approach. This is a prediction I’ve heard for years and you might ask when those solutions will actually fall behind malware, and the answer has to be in the rear-view mirror already. Conventional anti-virus is not useless, but it’s of diminishing usefulness, at least on its own. More and more you need to supplement it with other approaches like IPS. Cloud services may give the good guys a boost that could help us all.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.