Malware Scanning Moves to the Cloud

By Andy Patrizio | Sep 9, 2008 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3770356/Malware-Scanning-Moves-to-the-Cloud.htm

Anti-malware software has long been viewed as a necessarily evil, as in, necessary and evil to have on your machine.

It's necessary because without it, your computer could become an infected mess, a zombie on a botnet (define) spewing out spam and running as slow as a 386 by today's standards.

It's also evil because while spyware and malware can slow your computer to a crawl, AV software isn't a whole lot better. The only better productivity-killer than Flash games on the Web is a full system scan running in the background.

To alleviate some of this stress, antivirus vendors have taken to moving some of the processing of suspected malware to the Internet "cloud." Trend Micro launched such a service, called Smart Protection Network, this past June and has new products that build on that technology planned for release later this week. Now both F-Secure and McAfee are launching similar efforts.

They all use roughly the same approach: when a suspicious URL or file first appears anywhere in the world, whether it's on a person's computer or attached to an e-mail, a hash (define) is taken and compared against its databases of known malware, white lists and black lists. If the file exhibits questionable behavior or traits, it is flagged as dangerous and all customers are thereafter protected because the file is recognized, even if its malicious payload is not fully identified.

The usual trend these days is to get in a piece of malware, examine it, and issue an update to the antivirus software signature file, which can take a day or more. In that time, a lot of damage can be done. These instant fixes push out a fix within seconds of the malware arriving on the antivirus vendor's network.

Such expedience is needed. Peter Firstbrook, a security researcher for Gartner said that we are on track for five million pieces of malware in 2008, whereas in 1998, the full year saw just 1,700 pieces of new malware.

The idea is to cut zero-day threats, threats where there is no known fix or cure, down to 1 minute threats that are recognized as soon as they show up, said David Marcus, security research and communications manager at McAfee's (NYSE: MFE) Avert Labs.

"It's almost the equivalent of being a first responder," he told InternetNews.com. "It allows us to say we don't know what it is, but we've identified something suspicious going on, let's take it into the cloud, compare to larger black list, and make a fix. It lets us close a huge protection gap between when it's found, when it's analyzed, when it has protection written against it and when its sent out, which is usually the next day after it's found."

Once the malware has a quick fix in place, engineers at the firms perform a closer examination without having to rush out a fix, and it is eventually identified and given a name.

F-Secure's service is known as DeepGuard and offered as part of its new Wellbeing 2009 suite of security software. McAfee's service is called Artemis and is a part of McAfee Total Protection Service for small and medium-sized businesses. It will also be a part of McAfee VirusScan Enterprise and McAfee's consumer products later this month.

The goal is to take the load off the end user's computer, since they are already getting two or three signature updates a day already, and at the same time greatly increase the database of bad software out there.

As big as the definitions files are, with hundreds of thousands of entries, Marcus said McAfee gets far more data per day than it would ever want to put on an end user's computer.

"It gets to the point of how much of a load do you want to put on the end point?" he said "We have access to more info in the cloud than we would ever put on the customer machine and we're always adding to that list."

Long term, it could allow McAfee to take the load off the end user by putting only necessary signature files on the computer. When a virus scan is done, each file has to be compared against all of the signatures in the database, and that can get very slow given the size of signature databases today.

Firstbrook said the solutions are good in the short-term but don't solve the overall problem. "It's not game changing. They've gained a little scalability, and they needed to do that. But they've won the battle and are losing the war because the bad guys are always keeping ahead of them," he said.

His preference is for locking down the system in a known good configuration and white listing known good applications, but that, he notes, is a ways off, too. "I tried to install 'Google' Chrome and Kaspersky Antivirus blocked it immediately. iTunes constantly asks me to update, and I have no idea what it will do. I've totally lost control of my system," he said.

Article courtesy of InternetNews.com