Risk
8/6/2008
12:00 AM
Commentary
Commentary
Commentary
50%
50%

Antivirus Software Heads for the Clouds

When you stop and think about it, there's nothing really new about "cloud computing" other than it being a buzzword du jour for high-tech hypemeisters. That's not to say that as a concept, cloud computing -- Internet-based infrastructures that deliver IT services -- isn't useful. It most certainly is, and with any luck at all, new and unique applications for cloud computing will continue to pop up. Like the CloudAV project at the University of Michigan, for instance.

When you stop and think about it, there's nothing really new about "cloud computing" other than it being a buzzword du jour for high-tech hypemeisters. That's not to say that as a concept, cloud computing -- Internet-based infrastructures that deliver IT services -- isn't useful. It most certainly is, and with any luck at all, new and unique applications for cloud computing will continue to pop up. Like the CloudAV project at the University of Michigan, for instance.

According to security reseachers, traditional antivirus software is becoming increasingly ineffective, as evident by malware detection rates as low as 35 percent against the most recent threats and an average window of vulnerability exceeding 48 days. In other words, new threats go undetected for an average of seven weeks

The CloudAVCloudAV approach that Jon Oberheide, Evan Cooke, and Farnam Jahanian describe in their paper CloudAV: N-Version Antivirus in the Network Cloud, moves antivirus functionality off local PCs and into the cloud where it analyzes suspicious files using multiple antivirus and behavioral detection programs simultaneously.

To develop this approach, the trio evaluated 12 traditional antivirus software programs from vendors such as Avast, AVG, BitDefender, ClamAV, CWSandbox, F-Prot, F-Secure, Kaspersky, McAfee, Norman Sandbox, Symantec, and Trend Micro against 7,220 malware samples, including viruses, collected over a year. Traditional antivirus software that resides on a PC checks documents and programs as they are accessed. Because of performance constraints and program incompatibilities, only one antivirus detector is typically used at a time. CloudAV, however, can support a large number of malicious software detectors that act in parallel to analyze a single incoming file. Each detector operates in its own virtual machine, so the technical incompatibilities and security issues are resolved.

CloudAV is accessible to any computer or mobile device on the network that runs a simple software agent. Each time a computer or device receives a new document or program, that item is automatically detected and sent to the antivirus cloud for analysis. The CloudAV system the researchers built uses 12 different detectors that act together to tell the PC whether the item is safe to open.

CloudAV also caches analysis results, speeding up the process compared with traditional antivirus software. This could be useful when multiple employees access the same document. The new approach also includes what the developers call "retrospective detection," which scans its file access history when a new threat is identified. This allows it to catch previously-missed infections earlier. Finally, they see opportunities for CloudAV application to cell phones and other mobile devices that aren't robust enough to carry powerful antivirus software.

 

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-2157
Published: 2015-03-27
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.