Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Antivirus Vendors Push Toward Cloud Computing

Key elements of software now being delivered on a software-as-a-service basis

NEW YORK -- Interop Fall 2008 -- Antivirus software is taking up more and more memory on enterprise computers, both on the client and server ends. But new software-as-a-service (SaaS) offerings -- sometimes called "cloud computing" -- may change the AV picture in the near future, according to at least one vendor exhibiting on the show floor here this week.

Antivirus and security software vendor Panda Security has completed a new study which indicates that the growth of malware and other attacks will soon overwhelm current client/server-based AV software, according to Ryan Sherstobitoff, chief corporate evangelist at Panda.

The problem, Sherstobitoff says, it that the rapid proliferation of malware necessitates the rapid growth of signature-based software programs, which vaccinate the client against each new threat. "From 2006 to 2007, we documented about 300,000 malware samples," he says. "This year, it's around 2.5 million. We have seen incidents in which 500,000 malware samples were created overnight. And it's only going to increase as hackers become more sophisticated."

The result is that antivirus vendors are pushing out larger and larger signature files to clients and servers, and sucking up more and more CPU memory. "We're seeing about 200,000 new threats per month, which translates to a file that's 60-80 megabytes," Sherstobitoff says. "The clients are being vaccinated for 5,000 to 6,000 new signatures per day. You see situations where 50 to 60 percent of the CPU is being eaten up by antivirus software at times. The question is how much CPU can the AV software eat up before it's too much?"

Worse, Sherstobitoff says, the signature-based updates are becoming less effective. In a study of almost a million clients, Panda found that 30 percent of U.S. PCs contained an active infection -- even though half of them were running up-to-date antivirus or anti-malware software. "In Europe, it's about 37 percent," he says. "In Asia, it's close to 50 percent."

Among all the PCs that Panda studied, about 80 percent contained malware, Sherstobitoff says. About half of them contained an active Trojan. "What's clear out of all of this is that the current signature-based model is not working," he says. "We need a better method."

Panda, which rolled out its Panda 2009 line just three weeks ago, hopes to address the problem by moving some of its product capabilities into a "cloud computing" SaaS model. The idea is to put the memory-intensive signatures into a central database that can be accessed via a thinner client, thus reducing the CPU drag on the client machine.

"Instead of downloading a huge 60-80-megabyte file of signatures," Sherstobitoff says, "we can deliver a subset of the data, maybe 15-20 MB, and leave the rest on a Web server." Eventually, the company plans to store less and less data on clients and servers, making less and less impact on CPU utilization. "We'd like to evolve to a 100 percent SaaS model," he says.

The cloud computing approach could also make antivirus software more effective in stopping malware and other attacks, Sherstobitoff says. By employing a broad-based set of servers for analyzing new attacks and developing vaccinations, Panda may be able to better correlate the attack data and apply computing muscle to the process. "If we see malware in one country, we can more easily correlate it with a similar attack we see in another country," he says. This makes the signature process more effective and less bulky on the client end, he says.

Of course, the cloud computing model isn't without its drawbacks. It relies on a connection between the client and the antivirus server, which means there could be network latency problems, Sherstobitoff observes. And all clients will have to be outfitted with some method of "rolling back" to local AV if the connection to the security host becomes unavailable.

"There are some issues that we'll have to deal with, but as more and more applications and data move to the Web, this approach will be more and more compatible with what users are doing," Sherstobitoff says.

Other AV vendors, including McAfee and Symantec, are offering SaaS-based products as well.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18387
PUBLISHED: 2019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
CVE-2019-18212
PUBLISHED: 2019-10-23
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
CVE-2019-18213
PUBLISHED: 2019-10-23
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
CVE-2019-18384
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
CVE-2019-18385
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.