At last year’s VB conference we promised to answer a set of questions concerning the performance of cloud-based anti-virus software. The feedback was overwhelming, both from fellow researchers and large corporations, particularly ISPs. No wonder, since the number of viruses grows at an exponential rate. Being able to provide instant protection and enhanced detection rates at a (possibly) lower bandwidth cost proved to be a winning combination.
In the ﬁrst part of this paper we will describe, in detail, our cloud-based anti-virus engine, including a set of statistics, optimization opportunities that were revealed only after performing a few hundred thousand scans, comparisons with current technologies, etc. We will talk about the beneﬁts and drawbacks of keeping at least part of the virus signature database and scanning logic on our servers and, more interestingly, about the instances when cloud-based scanning is clearly more efﬁcient than traditional approaches.
The second part of the presentation will cover a new client-server technology, called ‘IMD’ (Intelligent Malware Detection). The client side of IMD runs on the client and is responsible for gathering ‘IMD ﬂags’, while the server side is responsible for collecting the ﬂags, applying rules and ultimately deciding whether a ﬁle is suspicious or not. We will also describe some cases when the server has enough information to blacklist ﬁles automatically, thus reaching the holy grail: instant detection.
Full text available here: MChiriac-VB2009