Crowdsourced, Cloud-Based Anti-Virus? Lots Of Buzzwords, But How Does It Work?
from the who-detects-what-now? dept
We’ve seen plenty of crowdsourced anti-spam apps, but Jesse points us to a company called Immunet that claims to be launching a free “cloud-based, collaborative anti-virus” solution. The idea is that people install it, and as soon as anyone detects a virus problem, that info is shared with all of the other users, thereby (in theory) working much faster than today’s brand-name anti-virus products. However, I have to admit I can’t figure out how this works. For anti-spam stuff it makes sense — since anyone can recognize spam. But how can it work for anti-virus? Who’s determining what the actual virus is? How is it protected against false positives? None of that’s clear. I went through the company’s website, and it seems to just skip right over the question of actually detecting the virus. It makes fun of the established anti-virus providers for taking too long in examining suspected viruses in their lab, but never explains how the detection occurs otherwise. In fact, about the only thing I can figure out from the company’s own language is that it’s going to simply use the virus definitions found in those other products installed on people’s computers. If that’s true, then it won’t actually be any better or faster than those companies it was making fun of earlier. The whole thing sounds full of buzzwords and hype, but appears to have little substance.
Filed Under: anti-virus, buzzwords, cloud, crowd sourced
Comments on “Crowdsourced, Cloud-Based Anti-Virus? Lots Of Buzzwords, But How Does It Work?”
You forgot the best part: people pretty much have to get infected first to know.
I don’t think many people would surf anymore without an anti-virus protection, so putting one on that has no data to start (and then gets some from the group) would be a pretty risky way to go.
Re: Re:
“You forgot the best part: people pretty much have to get infected first to know”
Plus is there a heuristic model attached to the crowd sourced antivirus as well? If not, it is easily defeated. If so, then are you ALSO crowd sourcing the back end checking for false positives on the heuristic method?
I also, including for spam, fail to see how this is more efficient than reporting to a centralized NOC which is then distributed via live updates or energize updates (to use Symantec and Barracuda as an example).
The founder of Immunet claims “Fewer than 50 percent of infections are detected and stopped by the AV products that are out there.”
The article also says that “Immunet Protect can run alongside current AV products. In fact, he says, it’s designed to harness the data from security products that are already in place”.
So this tool leverages existing anti-virus clients and sends their detections to the “cloud”, then thru som evetting process, and back out to the “crowd”. The idea is that infection signatures get to the folks that need them faster than they would currently. Seems like it could work but I suspect they still won’t cover the claimed 50% of infections that do not get caught.
Re:
“I don’t think many people would surf anymore without an anti-virus protection”
I haven’t used antivirus software in years, and I run Vista at home. The best antivirus out there is knowing what is suspicious and what is not.
Re: Re:
True, using a browser other than IE, Firefox or Safari goes a long way too.
Re: Re:
Computer geeks have two words to describe people like you. Recklessly Brave.
That you have thus far avoided infection speaks volumes about your suspiciousness-detecting, and for that, I salute you, good sir.
I run an AV as a Just-In-Case event, because I got hit with a random virus that I *still* have no clue where it came from. It replaced all my .com and .exe’s with itself. THAT was fun to get rid of. >_>
Re: Re: Re:
nah, it isn’t recklessly brave. I have multiple computer science degrees and ran multiple windows computers for over two years without any virus or spy ware protection. as part of a bet I ran a full scan on one system that didn’t turn up anything more than a few tracking cookies (that I already knew about)
My rule is that if my computer is not used by anyone other than me (and possibly any very computer savvy people) without supervision and does not get a bunch of strange files or otherwise contacts unknown systems then I don’t bother with protection beyond Firefox + extensions, regular updates, and my instinct. For everything else I install the full range of protection.
Re: Re: Re: Recklessly Brave
I don’t use AV on my home computer, only the work one. And it’s only as a just in case (mainly to scan files I get from clients). I can honestly say I’ve never had any real problems (touch wood).
I browse safely in a non IE browser, don’t install untrusted software, run a hosts file to block out the majority of scummy domains & file extensions are turned on.
My only real risk is drive-by infections through security flaws in flash/java/pdf etc. But given I’m not browsing any nasty sites they could only come through either hacked sites, or adverts with exploits.
In the event that my machine gets toasted, I’ve got most data backed up to external HDDs so I like to think I’m not to reckless – still brave though.
Re: Re: Re: Re:
Would Someone Send this AC a Email with a “Picture” attached? or just go through the 1001 back door holes in microsoft windows (Thats right not all holes are in IE).
The truth is that no matter how “savy” you are. Virus’s will be embedded into flash movies, pictures, audio files. I hope you enjoy the internet with your text-only browser, with javascript, java, flash, and any other sort of add-on turned off.
I’ve been a “tech guy” since i could walk practically, and if there is one thing i learned, it is that black hat coders are twice as good as legitimate ones.
Re: Re: Re:2 Re:
AC 1, Matt 0.
Re: Re: Re:2 Re:
see, I use something called my brain. For starters, I keep my programs patched, I also don’t open suspicious stuff from people I don’t know (and even if I did, my web mail has a virus scanner that runs before i am even given the choice of downloading anything.) I sit behind a NATed router (actually, depending on which part of my network, I sit behind 2 firewalls) I have my routers set up so that people can’t randomly connect to my network, and even if they could only very specific IP ranges can log in to either router and only while plugged in via a cable from inside the network, no logging in via the internet or wireless if you want to manage. I also run software firewalls on my computers as well, things like PeerGuardian and Adblocker (I also block via the Hosts file and use other programs for my non-windows systems) that I use to block malicious domains using lists that get updated regularly.
were someone to try and hack me from outside nothing would work if they are determined enough to get through my network set-up to the point where they could install and execute code on my systems. that leaves program exploits and user stupidity as possible sources of viral infections. I am not stupid and I keep up to date on new exploits.
the thing is that even if you keep an up to date virus scanner on your system (and most people let their definitions expire) user stupidity will defeat pretty much any set up out there unless they have heavily restricted rights on the system. It isn’t hard to think for a little bit before downloading something, I have some friends trained and they doesn’t get viri, while some other of my friends download things from limewire and other dangerous places all the time and frequently gets infections even though I regularly check to make sure they have all the patches and an up to date virus scanner.
Re: Re: Re:
Most corporations and businesses use live antiviruses on their computers, that’s understandable, but as far as I know most techs generally do not use one for personal use. I’m no tech but I don’t generally use one either. When I took MIS even my MIS teacher told the class (and he had his masters) the same thing. Steve Gibson said the same thing on grc.com. The best thing to do is be careful what sites you go to, be careful what you download, have a NAT router so it can act like a firewall, and update your security patches for your operating system.
Re: Re:
Well here’s a newsflash for you guys then:
There are people who DON’T know what is suspicious and what is not. A lot of these people ARE computer savvy as well.
I’ll give you a moment to gasp in astonishment…..
The thing to remember here is that just because YOU know the ins and outs of computer viruses, doesn’t mean that EVERYONE does; not even that everyone SHOULD know. In fact, I DO have AV software at home and I STILL get hit…a lot. Why/how/from who/where? I don’t have a clue. Need to brag about your personal accomplishments some more? please do it somewhere else. Even on this site, it’s just arrogant.
Re: Re: Re:
somehow I got logged out…that was me.
Re: Re: Re: Re:
we aren’t bragging about personal accomplishments, merely pointing out that if the network it set up properly so people can’t randomly hook in as a source to spread a virus (whether via people from the internet trying to randomly hack you or people leaching off of wifi or friends you know getting onto your network with an infected computer) and you take a little care in your browsing habits, it is possible to go without a scanner and not get infected.
we are not suggesting everyone do this, but pointing out that it is possible and not that hard for someone to learn enough to set their network up and change their internet useage habits enough that they don’t need virus protection.
though it occurs to me we are using different definitions of “savvy”, or at least to different extremes. Let me put it this way instead: if you grok computers then you can use them safely without virus protection; if, however, you don’t grok computers or don’t know what grok means (which in and of itself is a sign that you probably don’t grok computers) then you can’t safely run without virus protection. Doesn’t mean you are stupid, just ignorant and everyone is ignorant in their own way, I know almost nothing about geology.
Re: Re: Re:2 Re:
And the other day when techdirt was hacked, if the hackers had decided that instead of just defacing comments etc they would use the site to spread malware you would have been cool how?
When you travel with a machine outside the safety of your (admittedly sweet sounding) network setup, what guarantees do you have you don’t pick up any nasties for later transference to machines inside your safe-haven?
AV is definitely not the silver bullet the companies who produce it would have you believe but to espouse the “no need for AV at all” goes a little far in the other direction in my experience, especially nowadays when if you do get an infection it is much more likely to be sat very quietly keylogging and performing other bot tasks, which are harder to spot then the obvious DDOS “my computer just rolled over and tanked” symptoms in the past.
Relying on a single AV layer to completely protect your machine is daft but removing this retrospective inspection layer altogether from your machine is usually also daft, and the manual checks required to ensure your machine hasn’t been rooted are usually more of a pain than just running an AV with a scheduled scan occasionally.
This is intended as more of a thought exercise to others thinking of trying this utopian AV free lifestyle, I know a few people who espouse it and in general it involves having to lock down your habits way more, stay permanently on guard, spend a lot of time fiddling and in the case of one of my friends losing around $1000 when your bank account gets emptied due to a very clever little trojan he picked up from work…
Re: Re: Re:3 Re:
And the other day when techdirt was hacked, if the hackers had decided that instead of just defacing comments etc they would use the site to spread malware you would have been cool how?
true, if techdirt itself was spreading the crud, then I would most likely get infected if I visited it with one of my windows OSes, though if they hosted the content on a known malware site and then used techdirt to link or otherwise redirect then my blacklists might have stopped it.
When you travel with a machine outside the safety of your (admittedly sweet sounding) network setup, what guarantees do you have you don’t pick up any nasties for later transference to machines inside your safe-haven?
well, I have a rule about Anti-virus software. if one of my computers leaves my network, it gets the full protection no matter what. so all my laptops get loaded up with a full suite of anti-malware programs and my gaming desktop gets it on and off based on how often i take it to LAN parties. the desktops that sit at home don’t, unless they are a server that has a port open to the world (usually something like SSH sitting on a non-standard port) but then they are all running a flavor of Linux anyway.
I just want to point out that while it sounds like a have a ton of computers, I only have a few at a time, I am talking about past computers as well. generally I have 4-6 at any given time a gaming rig, which gets turn into the standard desktop when replaced, which turns into a server or project computer when it get replaced, which gets donated to someone in need when it no longer serves its purpose. I also have a couple laptops for different needs, a nettop that I keep in my car at all times in case I need to use the web and a larger laptop for when I actually need to do work or in depth examinations of people’s networks/computers or am just planning to be on it for more than 30 minutes at a time for example.
(if you can’t tell, I’ll reinstall the OS on my standard desktop and laptop based on my mood if I get bored one day, after about a year I itch to change something around and if I don’t have a planned upgrade yet then I’ll either do a fresh install of the OS to clean things up or I’ll completely switch with OS it runs. Since I don’t keep anything important on the standard desktop or my laptops it only takes about 30 mins to be up and running ready to go again since I don’t need to back up or restore.)
The network setup also evolved, the wireless in one router died once but it had a gigabit switch built in and I had custom firmware in it nicely configured (unless you know what ports I have open, you won’t know my IP exists, I don’t reply to pings and if my router detects a port scan then it closes all ports and doesn’t reply, about the only thing I can do to improve my security in that regard is to set it up so you have to port knock ) and I was feeling lazy and seemed like a waste to get rid of it completely, so I got a new wireless router and kept it mostly separate and secured, eventually I just re did the whole network to incorporate a dual-firewall setup as its main design
AV is definitely not the silver bullet the companies who produce it would have you believe but to espouse the “no need for AV at all” goes a little far in the other direction in my experience, especially nowadays when if you do get an infection it is much more likely to be sat very quietly keylogging and performing other bot tasks, which are harder to spot then the obvious DDOS “my computer just rolled over and tanked” symptoms in the past.
Relying on a single AV layer to completely protect your machine is daft but removing this retrospective inspection layer altogether from your machine is usually also daft, and the manual checks required to ensure your machine hasn’t been rooted are usually more of a pain than just running an AV with a scheduled scan occasionally.
This is intended as more of a thought exercise to others thinking of trying this utopian AV free lifestyle, I know a few people who espouse it and in general it involves having to lock down your habits way more, stay permanently on guard, spend a lot of time fiddling and in the case of one of my friends losing around $1000 when your bank account gets emptied due to a very clever little trojan he picked up from work…
I agree, you have to be almost paranoid to do it really long term and that it isn’t for everyone, but my mentality and habits already kind of fit that. I also hate banking online and only do online transactions with my credit card, if that information gets stolen then I don’t have to pay for it unlike the bank account. As a side note I also don’t use a credit card like most people do, I only spend what I can afford and have the card fully payed off by the end of the month so I don’t have to pay interest, I think I missed doing that about once or twice only.
I agree that running AV isn’t for everyone, but I still think that someone that groks computers can run for a while without AV, with the length based on how they use their computer and where they go. I view it kind of like some vaccinations; there are certain vaccinations you need to get if you travel to other countries and it is foolhardy not to do so, but if you stay at home all the time then there is little sense getting those vaccinations.
Re: Re: Re:4 Re:
the last paragraph should start with by saying “I agree that running without AV isn’t for everyone”
Re: Re: Re:5 Re:
I like the sound of the firmware on your router – I no longer play with router firmware after a few bad experiences (basically I bricked mine) so I don’t really have that option.
I would however still use an AV inside your safe-haven, although from what you’ve said about the lengths you go to I doubt I’d bother setting it to real time and just run a scheduled scan instead – my main concern would be introducing a trojan via sneakernet or one of your travelling machines, zero day malware is a pain and it can be sometime before you know you’ve got it on a machine (or never if in the meantime you rebuild your traveller!); at least this way you’re still getting a retrospective warning but you don’t have to sacrifice massive amounts of performance as standard
Your setup admittedly sounds a lot better than my friends botched attempt at security by obscurity, incidentally he got owned by a lovely piece of malware which had injected itself into an .exe at work, it wasn’t picked up by their AV (eTrust) and since he trusted the app he never thought twice…
Re: Re: Re:6 Re:
I like the sound of the firmware on your router – I no longer play with router firmware after a few bad experiences (basically I bricked mine) so I don’t really have that option.
yeah, I have heard some horror stories about that, I basically made sure that the model I got was able to be unbricked if you botched a firmware and it still bugs me enough that I don’t like doing it very frequently, though it is getting time to update it…. I used ddwrt and a really well supported router, it also helps that the router was a top of the line device and had a lot of the support built in.
I would however still use an AV inside your safe-haven, although from what you’ve said about the lengths you go to I doubt I’d bother setting it to real time and just run a scheduled scan instead – my main concern would be introducing a trojan via sneakernet or one of your travelling machines, zero day malware is a pain and it can be sometime before you know you’ve got it on a machine (or never if in the meantime you rebuild your traveller!); at least this way you’re still getting a retrospective warning but you don’t have to sacrifice massive amounts of performance as standard
I agree, if I were to try and infect my own network then sneakernet would be the way to go but I visit other people’s houses a lot more often than they visit me, it also helps that a good section of them use Linux or are about as paranoid as me when it comes to security. If I found a virus on my laptop, which does have fully up-to-date protection then I would also scan my other systems of course, though I would probably use a bootable drive and do a full system scan rather than deal with the possibility that the virus would be resident in memory and very tenacious.
My main reason for not using AV on some computers is an effort analysis that I do. As long as I don’t get infected, which my history has shown is unlikely, and the potential loss if I do get infected is low, (which on a desktop that I keep relatively empty and they can’t get banking information from would be in my opinion) it is more effort for me to make sure my virus programs are up to date and not interfering with my other tasks the few times I use the computer and I am horrible at remembering to schedule tasks to do a regular scan. In fact, on most of the computers that I don’t use AV on, it is less effort for me to just reinstall the OS than it is to try and fix the virus and make sure the traces are gone. so when I run unprotected it is mostly out of laziness
Your setup admittedly sounds a lot better than my friends botched attempt at security by obscurity, incidentally he got owned by a lovely piece of malware which had injected itself into an .exe at work, it wasn’t picked up by their AV (eTrust) and since he trusted the app he never thought twice…
Thanks, my set-up grew very slowly over time as I kept learning more about computer security, it used to be my hobby and desired career path until I turned to programming and actually have a degree in it. I still keep relatively up to date on new techniques, but nowadays changes on my network happen because something annoys me and I am too lazy to fix it to where it was; the dual router is perfect example, I kept the old one because I didn’t want to back up the config flash the new router then restore the config and it wasn’t less secure to take this route, at the time I didn’t care much that it was actually more secure. the only other time I made big changes is when I get bored and have something I want to try, like when I built my home-made PVR or re-organized my network so that the dual routers are actually part of the design.
Re: Re:
Heck yeah! Being smart and careful is just as effective as an AV package in most cases, and has a much smaller memory and performance impact on your PC.
Not to mention that in addition to the innocent false positives there will also be deliberate messing around and griefing. I wonder how many wiseguys will submit reports that Vista is actually a virus?
Re: Re:
You mean it isn’t??
Re: Re: Re:
There was a virus program that actually did detect one of the version of windows as a virus when i was trying to perform an OS upgrade, I’ll have to see if I can find which combination it was.
eh, oh well, found something funnier:
Is Windows a Virus?
No, Windows is not a virus. Here’s what viruses do:
* They replicate quickly – okay, Windows does that.
* Viruses use up valuable system resources, slowing down the system as they do so – okay, Windows does that.
* Viruses will, from time to time, trash your hard disk – okay, Windows does that too.
* Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh… Windows does that, too.
* Viruses will occasionally make the user suspect their system is too slow (see 2) and the user will buy new hardware. Yup, that’s with Windows, too.
Until now it seems Windows is a virus but there are fundamental differences:Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature.
So Windows is not a virus.
It’s a bug.
Re: Re: Re: Re:
clever
Re: Re: Re: Re:
it’s not a bug, it’s a feature!
But yea. my AV was an Archlinux livecd. cleaned it up real good.
Re: Re: Re:
clever
The low detection rates are largely attributable to server-side polymorphism. In practice, this will very soon (if it hasn’t already) result in a unique binary for each individual infected client (at least for the high-dollar malware). No amount of DAT sharing is going to get around that, and current AV products are doing about as well as could be expected with behavior-based analysis. This service seems to be mis-stating the problem and cleverly offering a solution to some pressing issue that they just made up just now.
Re: Re:
You know, when I was younger I wondered if anti virus companies created viruses for the purpose of selling their antivirus. After all, if they create the virus they can be the first to detect it.
Re: Re: Re:
“You know, when I was younger I wondered if anti virus companies created viruses for the purpose of selling their antivirus. After all, if they create the virus they can be the first to detect it.”
My, how Deus Ex of you…
Re: Re: Re: Re:
Did you change your icon?
Re: Re: Re:2 Re:
Yes, I thought this one was funnier…
Re: Re: Re:3 Re:
it is
I am a big fan of opensource. There are a lot of great open source. It has helped people. But, I have to draw the line at security and antivirus. But good luck to Immunet.
Re: Re:
Until you realize that, as a 100% Linux user, I am almost* completely immune from all viri. and am Completely immune from windows viri.
That kind of thinking, that open source isn’t “good” for security purposes is complexity stupid when you realize that a majority of Firewalls in the world are Linux based. Or was I supposed to let you have your little fantasies that closed source is somehow more secure? Time has proven it is not. But maybe you have proof. Would love to see it.
Re: Re: Re:
The ONLY reason Linux is good for security purposes is because of its miniscule market share of PCs. I appreciate what the Linux community has done and think it is a viable and valuable competition to the closed source community, however each has its place.
To boast right now that Linux is completely immune is just ignorant of the fact that virus authors are more interested in plaguing the MAJORITY of computer users (Microsoft has close to 90% of marketshare) not the 1%-2% of computer users (linux). In other words, your “immunity” is due to the fact that no one has spent the time or effort to try to create a virus for Linux because Linux is a small fish in a big pond (but parades itself as a big fish). Any OS is vulnerable if someone actually wants to exploit its vulnerabilities. No one honestly cares about exploiting Linux, not that it cannot be done. This goes for the MAC commercials that push no viruses (Apple only has less than 10% of the overall computer market share).
Get off your high horse and make logical sense. If the market share ever suddenly shifted to another OS other than Microsoft, expect that OS to get plagued with all kinds of viruses just like Microsoft.
Re: Re:
Not sure what you are trying to say here
Maybe you dont either
Danger Will Robinson
“that info is shared with all of the other users,”
— Sounds like spyware to me
“it’s going to simply use the virus definitions found in those other products installed on people’s computers”
— Wont this get them in trouble for copyright ?
Its still not going to work
Even if the Immunet software is functional, it is still not going to help. As post 12 states, the Malware you really need to be concerned with does not get snagged by any anti-virus client.
Also, there is no such things as “safe sites” anymore. Look through the Register archives and you’ll see Malware has been pushed out via DoubleClick and others to legit Web servers.
I’ve been working a lot with application white listing over the last few years and I’m convinced it is the way to move forward. I have clients with thousands of nodes that see a zero infection rate. Doubt any AV vendor can claim that.
I have a few write ups here if anyone is interested:
http://www.chrisbrenton.org/?s=malware
Actually on topic (for a change)
I had a quick look at the Immunet thing and around the intarwebs
initially it goes to a very simple website which only seems to have 2 or 3 pages and errors with IE6 (yeah tell the company I work for not me), the website is singularly odd and a picture of the corporate office in low res on the contact page which seems to display a Starbucks is an additional odd choice
So so far no joy
The various articles from around the globe are all very obviously based on the same press release which must have come out on the 19th given they all date from around the same time, having worked for a marketing company I know how many people will just verbatim quote any crap in a press release just to fill up space
So still looking dodgy
The technical description of how the product works on the site is basically like Mike states, lacking any real meat but a description at http://www.dintz.com/immunet-kicks-off-cloud-based-antivirus-protection/ goes a little further
NOTE: The following is my take on how it works it may be complete bollox
Basically it sounds like the AV is only scanning files as they are executed (fair enough since that’s when they usually enter memory – usually), it checks them real-time against the signature in the cloud, if the file is found to be bad it stops them executing. If the file is not in the cloud signature but one of the AVs on the machine detects it as being so then this is added to the engine
Immunet mention that once new baddies are found and confirmed they are added to the cloud engine, although there’s no real information about how or who decides that files really are bad
Additionally you are supposed to be able to add your friends and facebook contacts to your profile and somehow share your detections with them, since my friends and family consist mainly of people who still send me the “Olympic torch WORST EVER!!! virus” hoax emails I’m not sure why I’d want to do that but never mind
The only thing that makes me think this isn’t some sort of hoax and just a very clever way of sending around yet another hoax security application is that it’s CEO is Oliver Fredrichs who used to work for both Security Focus and Symantec and as far as I know has a relatively good name (I couldn’t find any dirt anyway) – since security focus are one of the sites reviewing this I am guessing they have confirmed it really is him
The only thing I can see that they have changed here is the concept that the signature is kept in the cloud which will mean it is always as up to date as possible as opposed to being a day out with conventional methods, and presumably means less local CPU time is absorbed scanning; that and they seem to have set up a system which will copy detections from other anti viruses, I haven’t got a clue what the facebook thing is about and in all honesty hope this is just some sort of cheesy gimmick rather than something the system actually relies on
So what happens when you disconnect from the cloud, lose your internet connection, other AV companies start altering their software to hide their detections, or your mum clicks ‘accept’ to some dodgy piece of malware I have no idea
Something to watch with one eye for the time being but I think I’ll avoid it till there’s more technical information on exactly how much information it is moving around the cloud amongst other things
Watch it be fabulous now!
Re: Actually on topic (for a change)
wow, nice information there, I see some good potential, and a lot of potential for it to be nothing worth mentioning, so I plan to keep an eye on it and see what comes.
I agree that the the usage of antivirus in a cloud setting seems long on promises and low on delivery, but you must admit that it also seems almost limitless in potential. I can EASILY see this becoming a massively popular application, but I can also see it taking several years to perfect.
The only thing I can see that they have changed here is the concept that the signature is kept in the cloud which will mean it is always as up to date as possible as opposed to being a day out with conventional methods, and presumably means less local CPU time is absorbed scanning; that and they seem to have set up a system which will copy detections from other anti viruses, I haven’t got a clue what the facebook thing is about and in all honesty hope this is just some sort of cheesy gimmick rather than something the system actually relies on
mini exercise bike