Risk
8/6/2008
00:00 AM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Antivirus Software Heads for the Clouds

When you stop and think about it, there's nothing really new about "cloud computing" other than it being a buzzword du jour for high-tech hypemeisters. That's not to say that as a concept, cloud computing -- Internet-based infrastructures that deliver IT services -- isn't useful. It most certainly is, and with any luck at all, new and unique applications for cloud computing will continue to pop up. Like the CloudAV project at the University of Michigan, for instance.

When you stop and think about it, there's nothing really new about "cloud computing" other than it being a buzzword du jour for high-tech hypemeisters. That's not to say that as a concept, cloud computing -- Internet-based infrastructures that deliver IT services -- isn't useful. It most certainly is, and with any luck at all, new and unique applications for cloud computing will continue to pop up. Like the CloudAV project at the University of Michigan, for instance.

According to security reseachers, traditional antivirus software is becoming increasingly ineffective, as evident by malware detection rates as low as 35 percent against the most recent threats and an average window of vulnerability exceeding 48 days. In other words, new threats go undetected for an average of seven weeks

The CloudAVCloudAV approach that Jon Oberheide, Evan Cooke, and Farnam Jahanian describe in their paper CloudAV: N-Version Antivirus in the Network Cloud, moves antivirus functionality off local PCs and into the cloud where it analyzes suspicious files using multiple antivirus and behavioral detection programs simultaneously.

To develop this approach, the trio evaluated 12 traditional antivirus software programs from vendors such as Avast, AVG, BitDefender, ClamAV, CWSandbox, F-Prot, F-Secure, Kaspersky, McAfee, Norman Sandbox, Symantec, and Trend Micro against 7,220 malware samples, including viruses, collected over a year. Traditional antivirus software that resides on a PC checks documents and programs as they are accessed. Because of performance constraints and program incompatibilities, only one antivirus detector is typically used at a time. CloudAV, however, can support a large number of malicious software detectors that act in parallel to analyze a single incoming file. Each detector operates in its own virtual machine, so the technical incompatibilities and security issues are resolved.

CloudAV is accessible to any computer or mobile device on the network that runs a simple software agent. Each time a computer or device receives a new document or program, that item is automatically detected and sent to the antivirus cloud for analysis. The CloudAV system the researchers built uses 12 different detectors that act together to tell the PC whether the item is safe to open.

CloudAV also caches analysis results, speeding up the process compared with traditional antivirus software. This could be useful when multiple employees access the same document. The new approach also includes what the developers call "retrospective detection," which scans its file access history when a new threat is identified. This allows it to catch previously-missed infections earlier. Finally, they see opportunities for CloudAV application to cell phones and other mobile devices that aren't robust enough to carry powerful antivirus software.

 

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2012-2588
Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

CVE-2012-6659
Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-3614
Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio