Risk
8/6/2008
12:00 AM
Commentary
Commentary
Commentary
50%
50%

Antivirus Software Heads for the Clouds

When you stop and think about it, there's nothing really new about "cloud computing" other than it being a buzzword du jour for high-tech hypemeisters. That's not to say that as a concept, cloud computing -- Internet-based infrastructures that deliver IT services -- isn't useful. It most certainly is, and with any luck at all, new and unique applications for cloud computing will continue to pop up. Like the CloudAV project at the University of Michigan, for instance.

When you stop and think about it, there's nothing really new about "cloud computing" other than it being a buzzword du jour for high-tech hypemeisters. That's not to say that as a concept, cloud computing -- Internet-based infrastructures that deliver IT services -- isn't useful. It most certainly is, and with any luck at all, new and unique applications for cloud computing will continue to pop up. Like the CloudAV project at the University of Michigan, for instance.

According to security reseachers, traditional antivirus software is becoming increasingly ineffective, as evident by malware detection rates as low as 35 percent against the most recent threats and an average window of vulnerability exceeding 48 days. In other words, new threats go undetected for an average of seven weeks

The CloudAVCloudAV approach that Jon Oberheide, Evan Cooke, and Farnam Jahanian describe in their paper CloudAV: N-Version Antivirus in the Network Cloud, moves antivirus functionality off local PCs and into the cloud where it analyzes suspicious files using multiple antivirus and behavioral detection programs simultaneously.

To develop this approach, the trio evaluated 12 traditional antivirus software programs from vendors such as Avast, AVG, BitDefender, ClamAV, CWSandbox, F-Prot, F-Secure, Kaspersky, McAfee, Norman Sandbox, Symantec, and Trend Micro against 7,220 malware samples, including viruses, collected over a year. Traditional antivirus software that resides on a PC checks documents and programs as they are accessed. Because of performance constraints and program incompatibilities, only one antivirus detector is typically used at a time. CloudAV, however, can support a large number of malicious software detectors that act in parallel to analyze a single incoming file. Each detector operates in its own virtual machine, so the technical incompatibilities and security issues are resolved.

CloudAV is accessible to any computer or mobile device on the network that runs a simple software agent. Each time a computer or device receives a new document or program, that item is automatically detected and sent to the antivirus cloud for analysis. The CloudAV system the researchers built uses 12 different detectors that act together to tell the PC whether the item is safe to open.

CloudAV also caches analysis results, speeding up the process compared with traditional antivirus software. This could be useful when multiple employees access the same document. The new approach also includes what the developers call "retrospective detection," which scans its file access history when a new threat is identified. This allows it to catch previously-missed infections earlier. Finally, they see opportunities for CloudAV application to cell phones and other mobile devices that aren't robust enough to carry powerful antivirus software.

 

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.