Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Robert Lemos

Clarifying An Antivirus Cloud

Other antivirus firms have raised questions about Immunet’s “cloud-antivirus” technology. The startup’s CEO offers to answer them.

  • September 2, 2009

Following Immunet’s launch in August, rivals antivirus firms quickly raised questions about the company’s claims to deliver a “cloud” antivirus service.

Immunet’s CEO Oliver Friedrichs agreed to answer some questions about the company, its business and the technology it uses to detect of malicious software.

What is your definition of a cloud antivirus solution?

A pure cloud antivirus solution relies on a detection set that resides on Internet servers, or “in the cloud.” A lightweight desktop agent is used to query this detection set whenever new files are installed on your computer, or when you perform a scan of running applications. Traditional antivirus products store this detection set locally, and in recent years, that database has grown to use anywhere from 50 to 100 megabytes of additional storage space. Immunet Protect is a pure cloud-based product since our detections are stored on the Internet by Immunet and accessed on-demand when required.

What are the advantages of cloud AV?

A cloud AV product is much different than a traditional antivirus product, and it requires re-architecting all components of the AV products. It moves the actual detections into the cloud. The following are what we believe are just some of the benefits:

  • It reduces the publishing delay to zero
    Threats today are very short lived, and by the time you receive detections from your traditional AV vendor, the threat itself has largely died off. Even worse, the detections that you receive–numbering from 10,000 to 40,000 per day–are largely irrelevant to you. The chances of you encountering even one of those threats on any given day are very, very low. Your system queries the cloud to determine whether something is malicious, and it takes, on average, 200ms, about 1/5th of a second, to get a response.
  • It requires less resources from users’ computers
    Cloud AV reduces the on-disk footprint, in-memory usage, CPU required to update your computer, and bandwidth costs.
  • It allows for broader protection
    Since the cloud can grow in a largely unbounded fashion, it is possible to be much more liberal on what you put in the cloud. It allows for blacklisting, whitelisting, and even aggressive report-only detections quite easily. It allows an antivirus vendor much more flexibility in protecting the end-user.
  • It allows for quicker innovation
    It is much easier for a company that is cloud-based to innovate and tune their detection logic. In most cases this does not require the company’s user base to install updates. This is a huge advantage and directly affects the protection that is provided to end users.
  • It allows for immediate resolution of false positives
    False positives–when a legitimate program is flagged as a threat–continue to plague the AV industry, and they are impossible to eliminate entirely. With a cloud-based model, however, you can remove an erroneous detection immediately, as soon as you begin to see people in the field restore files that have been incorrectly quarantined. Immunet Protect does this, and we are able to resolve false positives by monitoring in-field restores.

Malicious software that is packed in different ways to evade antivirus is a major problem right now. We will likely see packed programs that will require millions of signatures to catch. How does cloud AV solve this problem?

Cloud AV can deal with packed, metamorphic, and polymorphic threats through the use of domain-specific generic signatures that will detect families and variants of these threats. The development of such signature formats are the key to the future success of cloud-based antivirus, and Immunet is heavily focused in this area.

Immunet previously has said that it has decided not to use the detections of other antivirus solutions in its inputs when determining if a program is malicious or not. Can you explain that?

Let me clarify a statement that I made previously on what we do when running alongside another antivirus product. Immunet Protect sees when other security products detect or block threats. It’s quite easy to do this without interfering with or tampering with other products in any way. More specifically, we see threats that the user has received in some form arrive on their computer, and get quarantined. This information is sent up to Immunet; much like SANS DShield and Symantec DeepSight work for intrusion events. We track this information for reporting purposes and are still determining whether or not this information can be used directly to generate detections.

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.