Friday, March 12, 2010

Anti-virus in the cloud

My anti-virus solution has long been in the cloud. When I suspect I have found a virus, I upload it to Virustotal for analysis. For example, when I transferred a file from a colleague's laptop to my own at work, a quick look in the target directory revealed some files that were pretty obviously viruses. As my laptop was running Ubuntu, I wasn't concerned about infection. Later on, I checked out the files at Virustotal and they were indeed malware. There are anti-virus scanners for Linux, but Virustotal indicated that none of these (Antivir, avast!. AVG, Clam) would have picked up all the infected files- and of course, Linux can't be infected by Windows malware, so the best place for malware analysis for me is in the cloud.
But this is not really what anti-virus in the cloud means. In the cloud anti-virus model, files are analysed by multiple anti-virus engines at a remote location on a network (the "cloud"), but this is done without sending every file across the network. Computer files may be many megabytes in size, and sending each file across a network would be prohibitive in time and bandwidth. Instead the cloud anti-virus creates a hash of each file (just a few Kb in size) and sends that to the remote site. If the hash is recognised by the remote scanning system, it is reported as safe; if it is not recognised, the file is sent across the network and analysed. If it is found to be a virus, the hash is added to the database and any subsequent computer sending the same hash will know the file is malicious almost instantaneously.

(Image from

This method has the advantage that a large definition file does not have to be stored on the local computer, that new detections are added to the central virus definitions database instantly, and that any virus scanning is done on the remote system and does not use processing power on the local computer. In the original cloud anti-virus system, described in the paper CloudAV: N-Version Antivirus in the Network Cloud, unknown files were analysed on the remote system by multiple anti-virus engines: Avast, AVG, BitDefender, ClamAV, F-Prot, F-Secure, Kaspersky, McAfee, Symantec, and Trend Micro- as well as a couple of 'behavioural engines'.
This must be the ideal system for detecting viruses- utilising the power of the best anti-virus engines together- but of course there's a problem. This system was only built to test an academic model and was not a commercial anti-virus solution. Individual anti-virus companies would never licence their engine to work for a rival's cloud anti-virus.
A commercial cloud anti-virus would still have the advantage of not relying on a local virus definitions database which can take hours or days to update, but would have to rely on the virus detection rate of the anti-virus engine on the central system.
How to have the advantages of an anti-virus without local definitions and harness the power of multiple anti-virus engines?
Immunet has a clever answer: have your cloud anti-virus program sit alongside other anti-virus programs and report to you when they make a detection! That file is then available to you and can be added to your database of detections. This is not to say Immunet does not add its own detections- it claims to use web crawling, honeypots, generic and contextual detections, and has recently teamed up with Clam for Windows to add Clam's engine and detections database to its system. (More on Imuunet here.)
I have no information on detection rates yet, but Immunet/Clam for Windows seems to run well alongside other anti-virus products and may even be good enough to run alone- its small footprint will certainly appeal to users whose systems have been 'bogged down' by traditional anti-virus programs. I'm currently trialing it on my Windows partition (which admittedly doesn't get much use) as sole anti-virus protection. There seems to be some possibility that cloud technology may be added to the Linux version of Clam.
We are currently investigating the possibilities for using Immunet’s Cloud technology in the *nix version of ClamAV. Once ClamAV 0.96 releases and is integrated into the ClamAV for Windows distribution for offline scanning we will begin planning the next phase of integration. This will hopefully include some integration of the Cloud technologies in the *nix version of ClamAV.
Another cloud anti-virus product is available from Panda Security. It apparently has excellent detection rates, but I'm wary of trying it after hearing of alleged links between the company and the cult of Scientology.
More information about Immunet/ClamAV for Windows cloud anti-virus and links to comparisons with Panda CloudAV can be found on the avast! forum.
UPDATE: Panda has apparently distanced itself from Scientology.
Control of Panda Security was transferred to a group of investment funds led by Investindustrial in 2007, since when the firm has embarked on a plan of expanding its international footprint outside its traditional sales base in continental Europe. Panda's founder and former chief, Mikel Urizarbarrena, stepped down at that point and sold 75 per cent of the business, allowing the firm to distance itself from Urizarbarrena's controversial faith in Scientology.
UPDATE2: An interesting comment from a developer of a 'traditional' AV program:
My specific objection against these "new" in-the-cloud AV's is that they shamelessly parasite on the existing AV vendors who spent decades of R&D on getting where they are.

I mean, what most of these home-grown clouds do is basically run each of the files through a dozen of AV scanners (in the cloud) and if at least some of them detect something, report the file as infected.
UPDATE3: Brian Krebs writes on Immunet.

UPDATE4: Immunet no longer picks up the detections of anti-virus programs it runs alongside, according to a post on the avast! forum which purports to be from an Immunet representative.

No comments:

Post a Comment