Buzz word: “cloud anti-virus” – what is it all about?

“Cloud” is definitely one of the IT sector’s most popular marketing words of recent years. The virtual clouds promise you easy and mobile access to data and services. The anti-virus sector has also come to use this technology. Fast scans and very low resource usage are clear advantages of cloud-based scanners. But, as usual, there are two sides of the coin. 

What is a cloud?

Cloud-computing is, put simply, the distributed delivery of IT infrastructure over a network. This can be basically anything. Storage services in particular are currently in vogue, where a computing center often offers storage over the web. You can use this storage on your PC at home just like a conventional local hard drive even though it is really located hundreds or even thousands of miles away. As you, the user, never know exactly which server your data is on, we speak of a data cloud where everything is stored.

Complete programs and services are also offered via cloud. Just like conventional client/server architecture, spreadsheet software for example is run on an external computer, which is a server. You are provided with an interface on your own PC via the Internet, which allows you to use the software. This is very convenient as it requires no software to be installed, and computationally intensive operations are also outsourced.

Conventional anti-virus solutions have a problem

Conventional virus scanners are still based on signatures. Yet sooner or later they will be stuck between a rock and a hard place as the number of newly discovered malware variants doubles every 12 to 18 months. This then multiplies the number of signatures to be loaded exponentially. Virus scanners detect malware using these signatures, which are essentially digital fingerprints (see our article Signature recognition or behavioral analysis – Which is better?).

This means that scanner-based security software uses more and more storage space every year and affects users who have a bad Internet connection in particular, as they have to load the signatures either directly during installation or during the first online update. Some providers require several hundred megabytes – a nightmare for users who do not yet have a broadband Internet connection. They also use a lot of RAM as the signatures need to be in the RAM for quick scans. High memory usage has a negative effect on the performance of older PCs in particular and makes these programs lose valuable points in comparative tests. Yet a greater memory usage usually also means more signatures and therefore better detection rates in general.

What are the advantages of cloud anti-virus technology?

Security solutions in the virtual cloud solve almost every problem that conventional, locally installed malware mashers have. The user only has to download pure scanner technology, which is only a few megabytes or even kilobytes from most providers. All signatures are located on a centralized scan server and can be updated at any time, without any delay and in any number desired.

In a way, the cloud scanner does the opposite of conventional signature scanners by creating signatures from the files found on the PC and submitting them to the scan server for analysis. If there is a hit, it will alert you of an infection as usual. You cannot see that this whole procedure is handled externally. You only see the result and that the scan is running way faster and using much fewer resources. The cloud scanner also detects deviations from normal system status by combining the data of a vast user community very quickly, which is another advantage. This makes it possible for the system to be viewed as a whole and to detect new unknown malware variants.

So what’s the catch?

It just sounds too good to be true. Faster, better, using fewer resources – if this were all true, there would be no more conventional virus scanners. The devil is in the details for cloud anti-virus software: A regular PC hosts 300,000 to 500,000 files on average. If all these were scanned, uploading the signatures created on the fly to the scan server would take forever.

This is exactly why cloud anti-virus software filters the files to be scanned in the first place according to different rules and parameters. For instance, there are some file types or paths that are generally considered safe. Many cloud anti-virus solutions therefore come with huge whitelists. These are sort of inverse signatures that classify known programs as safe. This massively reduces the number of files to be scanned – even though more data needs to be downloaded to your PC.

This incomplete scan is, however, the Achilles heel of this technology. If not all of the files are properly scanned there are always gaps that malware can use, whether these are as yet unused paths or a file type that has been considered safe until now.

Another problem is that files that the scan cloud has not yet detected at all are, in most cases, entirely submitted to the cloud for further analysis. If you were happy about the small download, you’ll get a nasty surprise when scanning for the first time: countless megabytes are uploaded to the cloud. And many will not even be aware of the fact that private or important company data ends up on third-party servers.

Hybrid technology as the best solution

We believe that combining a cloud service with a conventional anti-virus scanner offers the best of both technologies. This is why many Emsisoft products use cloud features.

First of all, Emsisoft Anti-Malware offers the possibility of participating in the “Emsisoft Anti-Malware Network”. If you enable this option, all decisions regarding alerts from the behavior blocker are directly submitted to our server. This enables other users to see if the majority of the community allows or blocks a program and thus helps you to make a decision. There is also a “trust index” for every program based on statistical calculations. Programs that are definitely safe are put on a whitelist, and there will be no further alerts for this program.

Emsisoft Anti-Malware’s scanner also asks if you would like to submit suspicious patterns in newly discovered files (only program files, no documents). Our analysis team then analyzes the suspicious file thoroughly and creates a new signature if need be. This helps Emsisoft and also all users by reducing the response time in the event of new malware outbreaks and offering the best protection possible.

Our HIPS-based firewall Emsisoft Online Armor also uses the Emsisoft Anti-Malware Network. Saved rules for allowed and blocked programs are submitted to the Emsisoft cloud in order to reduce future alerts. False alerts are avoided in an efficient manner without lowering the security level.

Incidentally, all data on program files stored in the Emsisoft Anti-Malware Network is visible to everyone and even searchable. The Emsisoft cloud is thus not closed, but absolutely transparent and can be accessed through a website as an interface at any time. There are currently more than 12 million known program files (as of November 2012), including geographical distribution of malware occurrence. See for yourself: IsThisFileSafe.com.