dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
976
share rss forum feed

Win7

join:2012-10-13
L5x3t4

1 recommendation

How a cloud antivirus works?

If you have a malware on your pc , basically 2 things can happen (simplified approach)

1. you pc gets screwup; reimaging will restore your pc

2. your data is stolen and submited over internet

Now, a cloud antivirus has to get the hash of suspected file, submited over the internet to the cloud, the cloud will make a decision, the decision is submited back to your pc and the file is quarantined.

This process is fast but not fastenough: you can see that in order to quarantine a malicious file the info has to travel BACK and FORTH to the cloud and your PC.

Meanwhile the malware has enough time to transmit stoled data to the internet because this process takes only halft at the time

So, Cloud antivirus:PC(hash)---->CLOUD(decision)----->PC(quarantine)

Malware: , PC----->WEB

Am I missing something here?

As you can see the malware has at least double time to transmit the stoled data till will be quarantined.

Win7


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

It's surely the same for all antiviruses. If the virus is permitted to execute at all, you may already have lost.

If the virus is not permitted to execute prior to being given the green light (i.e., determined to not be a known threat), then it doesn't matter from a security viewpoint whether or not that determination takes a millisecond or a fortnight.


Win7

join:2012-10-13
L5x3t4

"It's surely the same for all antiviruses"

Well, not quite.

I am not concerned about a malware which can screwup my pc, I can recover from that.

My main concern is a malware which can steal data from your pc and I fail to see how "It's surely the same for all antiviruses"

An antivirus which has a resident signature database will block that malware instantly compared with an antivirus which has a cloud resident database and has to ask for a decision "in the cloud"; I can say that, in fact, a cloud antivirus doesn't offer a real time protection, is always real time+your internet speed+cloud latency+your internet speed again.

And cloud latency can be as high as 7000ms, see:
»alan.blog-city.com/amazon_ec2_la···aphs.htm



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Win7:

An antivirus which has a resident signature database will block that malware instantly compared with an antivirus which has a cloud resident database

Which AV vendor that uses the cloud for signatures doesn't also have a local resident database?

Win7

join:2012-10-13
L5x3t4

1 edit

Panda has.

Webroot doesn't have.

Not sure about KingSoft Antivirus.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Win7

Firstly, we must be talking about real-time interception, not on-demand scanning, since no on-demand (or on-schedule) scanning can possibly stop malware at the point of execution.

So, for real-time AV:

I have this model in mind: the AV software inserts itself in the file system path. On opening the file for execution, the AV kernel component determines whether the file is safe. The file-open I/O stalls until the determination has been made. Execution cannot commence until the file-open I/O completes. Therefore, the amount of time taken to make the determination is irrelevant.

You seem to have this model in mind: the AV software is notified when the file starts execution. The AV hurries up and determines whether the already-started file is safe. Therefore, there is an unchecked period of execution during which malware can do its dirty work.

An AV designed by your model is defective regardless of whether determining safety takes very little time (local system) or a lot of time (remote system). It's so obviously defective that I assume that no AV designed to that model in fact exists -- though I could be wrong there, I suppose it's dangerous to bet against the stupidity of some programmers.

But is there such a thing as real-time cloud-based AV? I didn't find any.

In which case, your discussion is really nothing to do with cloud. It is comparing the merits of real-time AV versus on-demand AV. No AV that's not inserted in the file-open path will protect absolutely against execution of malware that is already resident on your disk.


Win7

join:2012-10-13
L5x3t4

"On opening the file for execution, the AV kernel component determines whether the file is safe"

Based on this model, you woun't be able to boot your pc because your cloud AV will intercept all your OS files but there is no internet connection yet, so is imposible to validate them as bad or good.



Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed
reply to Win7

Here is a great video on how Webroot SecureAnywhere still protects you if the file is unknown and in this case you could say if you don't have any internet connection at the time.

»www.youtube.com/watch?feature=pl···Z1Ukw_7I

TH
--
Triple Helix - Microsoft® MVP Consumer Security 2012
VIP Member Of ASAP - (Alliance of Security Analysis Professionals™)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper.
(H59 Clan)



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Win7

said by Win7:

"On opening the file for execution, the AV kernel component determines whether the file is safe"

Based on this model, you woun't be able to boot your pc because your cloud AV will intercept all your OS files but there is no internet connection yet, so is imposible to validate them as bad or good.

Which AV loads before the OS loads?
You're concern about validating a file is better framed when using "no internet connection" rather than "slow throughput speeds", IMO.
Is this more about Webroot because of their lack of local signatures?

Win7

join:2012-10-13
L5x3t4

Most AV's will start before OS.

»www.wilderssecurity.com/showpost···tcount=2

"... other AV's got it. Some call it (early start up)"

»www.rising-global.com/Published/···0016.htm

"RISING Antivirus - removes viruses before Windows system startup"



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 recommendation

said by Win7:

Most AV's will start before OS.

»www.wilderssecurity.com/showpost···tcount=2

"... other AV's got it. Some call it (early start up)"

»www.rising-global.com/Published/···0016.htm

"RISING Antivirus - removes viruses before Windows system startup"

I asked which AV loads before the OS.
You're reply answered the question
"Which AV loads before Windows login".
It's the OS that drives the AV.
No OS, no AV.

Win7

join:2012-10-13
L5x3t4

please read this:

»msdn.microsoft.com/en-us/library···85).aspx

"As antimalware (AM) software has become better and better at detecting runtime malware, attackers are also becoming better at creating rootkits that can hide from detection. Detecting malware that starts early in the boot cycle is a challenge that most AM vendors address diligently. Typically, they create system hacks that are not supported by the host operating system and can actually result in placing the computer in an unstable state. Up to this point, Windows has not provided a good way for AM to detect and resolve these early boot threats. "



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 recommendation

said by Win7:

please read this:

»msdn.microsoft.com/en-us/library···85).aspx

"As antimalware (AM) software ...

This is what I got from the documentation you asked me to read. The intended OS are:
Windows 8 Consumer Preview
Windows Server 8 Beta

With the intended purpose being:
Introduction
This document describes the interface requirements for Early Launch Antimalware (ELAM) drivers. It is intended to provide information to partners about the potential ELAM driver interfaces.
The ELAM feature provides a Microsoft-supported mechanism for antimalware (AM) software to start before all other third-party components. AM drivers are initialized first and allowed to control the initialization of boot drivers, potentially not initializing unknown boot drivers. Once the boot process has initialized boot drivers and access to persistent storage is available in an efficient way, existing AM software may continue block malware from executing.


This isn't about an AV loading before the OS -
It actually documents the point I was making which was in reply to your claim that:
said by Win7:

Based on this model, you woun't be able to boot your pc because your cloud AV will intercept all your OS files but there is no internet connection yet, so is imposible to validate them as bad or good.

It's about an AV loading before third-party components, not before the OS loads.

Think of it as an OS loading without any power source.
That's just not possible - something needs to power it.
That's the same relationship between the OS & the AV - the OS is what supplies the AV with it's power source, in a manner of speaking.


Elite

join:2002-10-03
Orange, CT
Reviews:
·Optimum Online

1 recommendation

reply to Win7

To set the record straight, your MBR usually points to a bootloader which begins to load up core Windows files to begin booting your OS.

AV can write a device driver which is loaded into kernel memory shortly after the OS begins to load, but for your AV to actually load before the OS, would require that the AV vendor replaced your MBR/Bootloader with their own, then bootstrapped the OS booting process. Currently, I don't think anyone does this, but it's probably possible in theory.

Also... when you execute a program, your AV's resident scanner engine should hash the file and then compare it to a database also loaded in RAM, or in the case of a cloud AV... the cloud.

Please also note that many "resident" scanners will hash a file once you attempt to read the file from the disk, whether you're executing the file or right-clicking it and viewing the properties.

There's no inherent weakness or strength when comparing the above process against a database on the cloud or a hash table already loaded in your computer's RAM, except for latency.

Remember that most AVs are just hashing engines. You can still get owned by brand new "fresh" malware, unless you're running some crazy HIPS which is hooking most OS functions and prompting you 100000 times before the executable runs.
--
QUAD!!!!



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 recommendation

said by Elite:

To set the record straight, ...

Thanks for the technical side of that.
I had resorted to an analogy for a lack of technical specifics.


Greg Davis

join:2011-11-15
San Mateo, CA
kudos:2
reply to Win7

A resident signature database by itself does not mean that it is better at automatically detecting threats, as threats mutate all the time. Webroot SecureAnywhere uses a combination of basic definition files that are local, along with the heuristics engine, the cloud database to detect known and unknown threats. If a machine were not connected to the cloud, the Identity Shield, for example, is able to detect when an application is wrongly sending personal data.
--
Greg Davis
Webroot Support Team
»www.webroot.com/En_US/index.html