A View from Robert Lemos
Clarifying An Antivirus Cloud
Other antivirus firms have raised questions about Immunet’s “cloud-antivirus” technology. The startup’s CEO offers to answer them.
Immunet’s CEO Oliver Friedrichs agreed to answer some questions about the company, its business and the technology it uses to detect of malicious software.
What is your definition of a cloud antivirus solution?
A pure cloud antivirus solution relies on a detection set that resides on Internet servers, or “in the cloud.” A lightweight desktop agent is used to query this detection set whenever new files are installed on your computer, or when you perform a scan of running applications. Traditional antivirus products store this detection set locally, and in recent years, that database has grown to use anywhere from 50 to 100 megabytes of additional storage space. Immunet Protect is a pure cloud-based product since our detections are stored on the Internet by Immunet and accessed on-demand when required.
What are the advantages of cloud AV?
A cloud AV product is much different than a traditional antivirus product, and it requires re-architecting all components of the AV products. It moves the actual detections into the cloud. The following are what we believe are just some of the benefits:
- It reduces the publishing delay to zero
Threats today are very short lived, and by the time you receive detections from your traditional AV vendor, the threat itself has largely died off. Even worse, the detections that you receive–numbering from 10,000 to 40,000 per day–are largely irrelevant to you. The chances of you encountering even one of those threats on any given day are very, very low. Your system queries the cloud to determine whether something is malicious, and it takes, on average, 200ms, about 1/5th of a second, to get a response.
- It requires less resources from users’ computers
Cloud AV reduces the on-disk footprint, in-memory usage, CPU required to update your computer, and bandwidth costs.
- It allows for broader protection
Since the cloud can grow in a largely unbounded fashion, it is possible to be much more liberal on what you put in the cloud. It allows for blacklisting, whitelisting, and even aggressive report-only detections quite easily. It allows an antivirus vendor much more flexibility in protecting the end-user.
- It allows for quicker innovation
It is much easier for a company that is cloud-based to innovate and tune their detection logic. In most cases this does not require the company’s user base to install updates. This is a huge advantage and directly affects the protection that is provided to end users.
- It allows for immediate resolution of false
False positives–when a legitimate program is flagged as a threat–continue to plague the AV industry, and they are impossible to eliminate entirely. With a cloud-based model, however, you can remove an erroneous detection immediately, as soon as you begin to see people in the field restore files that have been incorrectly quarantined. Immunet Protect does this, and we are able to resolve false positives by monitoring in-field restores.
Malicious software that is packed in different ways to evade antivirus is a major problem right now. We will likely see packed programs that will require millions of signatures to catch. How does cloud AV solve this problem?
Cloud AV can deal with packed, metamorphic, and polymorphic threats through the use of domain-specific generic signatures that will detect families and variants of these threats. The development of such signature formats are the key to the future success of cloud-based antivirus, and Immunet is heavily focused in this area.
Immunet previously has said that it has decided not to use the detections of other antivirus solutions in its inputs when determining if a program is malicious or not. Can you explain that?
Let me clarify a statement that I made previously on what we do when running alongside another antivirus product. Immunet Protect sees when other security products detect or block threats. It’s quite easy to do this without interfering with or tampering with other products in any way. More specifically, we see threats that the user has received in some form arrive on their computer, and get quarantined. This information is sent up to Immunet; much like SANS DShield and Symantec DeepSight work for intrusion events. We track this information for reporting purposes and are still determining whether or not this information can be used directly to generate detections.