TALES FROM CLOUD NINE

At last year’s VB conference we promised to answer a set of questions concerning the performance of cloud-based anti-virus software. The feedback was overwhelming, both from fellow researchers and large corporations, particularly ISPs. No wonder, since the number of viruses grows at an exponential rate. Being able to provide instant protection and enhanced detection rates at a (possibly) lower bandwidth cost proved to be a winning combination. In the fi rst part of this paper we will describe, in detail, our cloud-based anti-virus engine, including a set of statistics, optimization opportunities that were revealed only after performing a few hundred thousand scans, comparisons with current technologies, etc. We will talk about the benefi ts and drawbacks of keeping at least part of the virus signature database and scanning logic on our servers and, more interestingly, about the instances when cloud-based scanning is clearly more effi cient than traditional approaches. The second part of the presentation will cover a new client-server technology, called ‘IMD’ (Intelligent Malware Detection). The client side of IMD runs on the client and is responsible for gathering ‘IMD fl ags’, while the server side is responsible for collecting the fl ags, applying rules and ultimately deciding whether a fi le is suspicious or not. We will also describe some cases when the server has enough information to blacklist fi les automatically, thus reaching the holy grail: instant detection.