Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Antivirus Vendors Push Toward Cloud Computing

Key elements of software now being delivered on a software-as-a-service basis

NEW YORK -- Interop Fall 2008 -- Antivirus software is taking up more and more memory on enterprise computers, both on the client and server ends. But new software-as-a-service (SaaS) offerings -- sometimes called "cloud computing" -- may change the AV picture in the near future, according to at least one vendor exhibiting on the show floor here this week.

Antivirus and security software vendor Panda Security has completed a new study which indicates that the growth of malware and other attacks will soon overwhelm current client/server-based AV software, according to Ryan Sherstobitoff, chief corporate evangelist at Panda.

The problem, Sherstobitoff says, it that the rapid proliferation of malware necessitates the rapid growth of signature-based software programs, which vaccinate the client against each new threat. "From 2006 to 2007, we documented about 300,000 malware samples," he says. "This year, it's around 2.5 million. We have seen incidents in which 500,000 malware samples were created overnight. And it's only going to increase as hackers become more sophisticated."

The result is that antivirus vendors are pushing out larger and larger signature files to clients and servers, and sucking up more and more CPU memory. "We're seeing about 200,000 new threats per month, which translates to a file that's 60-80 megabytes," Sherstobitoff says. "The clients are being vaccinated for 5,000 to 6,000 new signatures per day. You see situations where 50 to 60 percent of the CPU is being eaten up by antivirus software at times. The question is how much CPU can the AV software eat up before it's too much?"

Worse, Sherstobitoff says, the signature-based updates are becoming less effective. In a study of almost a million clients, Panda found that 30 percent of U.S. PCs contained an active infection -- even though half of them were running up-to-date antivirus or anti-malware software. "In Europe, it's about 37 percent," he says. "In Asia, it's close to 50 percent."

Among all the PCs that Panda studied, about 80 percent contained malware, Sherstobitoff says. About half of them contained an active Trojan. "What's clear out of all of this is that the current signature-based model is not working," he says. "We need a better method."

Panda, which rolled out its Panda 2009 line just three weeks ago, hopes to address the problem by moving some of its product capabilities into a "cloud computing" SaaS model. The idea is to put the memory-intensive signatures into a central database that can be accessed via a thinner client, thus reducing the CPU drag on the client machine.

"Instead of downloading a huge 60-80-megabyte file of signatures," Sherstobitoff says, "we can deliver a subset of the data, maybe 15-20 MB, and leave the rest on a Web server." Eventually, the company plans to store less and less data on clients and servers, making less and less impact on CPU utilization. "We'd like to evolve to a 100 percent SaaS model," he says.

The cloud computing approach could also make antivirus software more effective in stopping malware and other attacks, Sherstobitoff says. By employing a broad-based set of servers for analyzing new attacks and developing vaccinations, Panda may be able to better correlate the attack data and apply computing muscle to the process. "If we see malware in one country, we can more easily correlate it with a similar attack we see in another country," he says. This makes the signature process more effective and less bulky on the client end, he says.

Of course, the cloud computing model isn't without its drawbacks. It relies on a connection between the client and the antivirus server, which means there could be network latency problems, Sherstobitoff observes. And all clients will have to be outfitted with some method of "rolling back" to local AV if the connection to the security host becomes unavailable.

"There are some issues that we'll have to deal with, but as more and more applications and data move to the Web, this approach will be more and more compatible with what users are doing," Sherstobitoff says.

Other AV vendors, including McAfee and Symantec, are offering SaaS-based products as well.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.