Crowdsourced, Cloud-Based Anti-Virus? Lots Of Buzzwords, But How Does It Work?
from the who-detects-what-now? dept
We've seen plenty of crowdsourced anti-spam apps, but Jesse points us to a company called Immunet that claims to be launching a free "cloud-based, collaborative anti-virus" solution. The idea is that people install it, and as soon as anyone detects a virus problem, that info is shared with all of the other users, thereby (in theory) working much faster than today's brand-name anti-virus products. However, I have to admit I can't figure out how this works. For anti-spam stuff it makes sense -- since anyone can recognize spam. But how can it work for anti-virus? Who's determining what the actual virus is? How is it protected against false positives? None of that's clear. I went through the company's website, and it seems to just skip right over the question of actually detecting the virus. It makes fun of the established anti-virus providers for taking too long in examining suspected viruses in their lab, but never explains how the detection occurs otherwise. In fact, about the only thing I can figure out from the company's own language is that it's going to simply use the virus definitions found in those other products installed on people's computers. If that's true, then it won't actually be any better or faster than those companies it was making fun of earlier. The whole thing sounds full of buzzwords and hype, but appears to have little substance.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anti-virus, buzzwords, cloud, crowd sourced
Reader Comments
Subscribe: RSS
View by: Time | Thread
I don't think many people would surf anymore without an anti-virus protection, so putting one on that has no data to start (and then gets some from the group) would be a pretty risky way to go.
[ link to this | view in chronology ]
Re:
Plus is there a heuristic model attached to the crowd sourced antivirus as well? If not, it is easily defeated. If so, then are you ALSO crowd sourcing the back end checking for false positives on the heuristic method?
I also, including for spam, fail to see how this is more efficient than reporting to a centralized NOC which is then distributed via live updates or energize updates (to use Symantec and Barracuda as an example).
[ link to this | view in chronology ]
The article also says that "Immunet Protect can run alongside current AV products. In fact, he says, it's designed to harness the data from security products that are already in place".
So this tool leverages existing anti-virus clients and sends their detections to the "cloud", then thru som evetting process, and back out to the "crowd". The idea is that infection signatures get to the folks that need them faster than they would currently. Seems like it could work but I suspect they still won't cover the claimed 50% of infections that do not get caught.
[ link to this | view in chronology ]
Re:
I haven't used antivirus software in years, and I run Vista at home. The best antivirus out there is knowing what is suspicious and what is not.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
That you have thus far avoided infection speaks volumes about your suspiciousness-detecting, and for that, I salute you, good sir.
I run an AV as a Just-In-Case event, because I got hit with a random virus that I *still* have no clue where it came from. It replaced all my .com and .exe's with itself. THAT was fun to get rid of. >_>
[ link to this | view in chronology ]
Re: Re: Re:
My rule is that if my computer is not used by anyone other than me (and possibly any very computer savvy people) without supervision and does not get a bunch of strange files or otherwise contacts unknown systems then I don't bother with protection beyond Firefox + extensions, regular updates, and my instinct. For everything else I install the full range of protection.
[ link to this | view in chronology ]
Re: Recklessly Brave
I browse safely in a non IE browser, don't install untrusted software, run a hosts file to block out the majority of scummy domains & file extensions are turned on.
My only real risk is drive-by infections through security flaws in flash/java/pdf etc. But given I'm not browsing any nasty sites they could only come through either hacked sites, or adverts with exploits.
In the event that my machine gets toasted, I've got most data backed up to external HDDs so I like to think I'm not to reckless - still brave though.
[ link to this | view in chronology ]
Re: Re: Re: Re:
The truth is that no matter how "savy" you are. Virus's will be embedded into flash movies, pictures, audio files. I hope you enjoy the internet with your text-only browser, with javascript, java, flash, and any other sort of add-on turned off.
I've been a "tech guy" since i could walk practically, and if there is one thing i learned, it is that black hat coders are twice as good as legitimate ones.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
were someone to try and hack me from outside nothing would work if they are determined enough to get through my network set-up to the point where they could install and execute code on my systems. that leaves program exploits and user stupidity as possible sources of viral infections. I am not stupid and I keep up to date on new exploits.
the thing is that even if you keep an up to date virus scanner on your system (and most people let their definitions expire) user stupidity will defeat pretty much any set up out there unless they have heavily restricted rights on the system. It isn't hard to think for a little bit before downloading something, I have some friends trained and they doesn't get viri, while some other of my friends download things from limewire and other dangerous places all the time and frequently gets infections even though I regularly check to make sure they have all the patches and an up to date virus scanner.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
There are people who DON'T know what is suspicious and what is not. A lot of these people ARE computer savvy as well.
I'll give you a moment to gasp in astonishment.....
The thing to remember here is that just because YOU know the ins and outs of computer viruses, doesn't mean that EVERYONE does; not even that everyone SHOULD know. In fact, I DO have AV software at home and I STILL get hit...a lot. Why/how/from who/where? I don't have a clue. Need to brag about your personal accomplishments some more? please do it somewhere else. Even on this site, it's just arrogant.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
we are not suggesting everyone do this, but pointing out that it is possible and not that hard for someone to learn enough to set their network up and change their internet useage habits enough that they don't need virus protection.
though it occurs to me we are using different definitions of "savvy", or at least to different extremes. Let me put it this way instead: if you grok computers then you can use them safely without virus protection; if, however, you don't grok computers or don't know what grok means (which in and of itself is a sign that you probably don't grok computers) then you can't safely run without virus protection. Doesn't mean you are stupid, just ignorant and everyone is ignorant in their own way, I know almost nothing about geology.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
When you travel with a machine outside the safety of your (admittedly sweet sounding) network setup, what guarantees do you have you don't pick up any nasties for later transference to machines inside your safe-haven?
AV is definitely not the silver bullet the companies who produce it would have you believe but to espouse the "no need for AV at all" goes a little far in the other direction in my experience, especially nowadays when if you do get an infection it is much more likely to be sat very quietly keylogging and performing other bot tasks, which are harder to spot then the obvious DDOS "my computer just rolled over and tanked" symptoms in the past.
Relying on a single AV layer to completely protect your machine is daft but removing this retrospective inspection layer altogether from your machine is usually also daft, and the manual checks required to ensure your machine hasn't been rooted are usually more of a pain than just running an AV with a scheduled scan occasionally.
This is intended as more of a thought exercise to others thinking of trying this utopian AV free lifestyle, I know a few people who espouse it and in general it involves having to lock down your habits way more, stay permanently on guard, spend a lot of time fiddling and in the case of one of my friends losing around $1000 when your bank account gets emptied due to a very clever little trojan he picked up from work...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
true, if techdirt itself was spreading the crud, then I would most likely get infected if I visited it with one of my windows OSes, though if they hosted the content on a known malware site and then used techdirt to link or otherwise redirect then my blacklists might have stopped it.
When you travel with a machine outside the safety of your (admittedly sweet sounding) network setup, what guarantees do you have you don't pick up any nasties for later transference to machines inside your safe-haven?
well, I have a rule about Anti-virus software. if one of my computers leaves my network, it gets the full protection no matter what. so all my laptops get loaded up with a full suite of anti-malware programs and my gaming desktop gets it on and off based on how often i take it to LAN parties. the desktops that sit at home don't, unless they are a server that has a port open to the world (usually something like SSH sitting on a non-standard port) but then they are all running a flavor of Linux anyway.
I just want to point out that while it sounds like a have a ton of computers, I only have a few at a time, I am talking about past computers as well. generally I have 4-6 at any given time a gaming rig, which gets turn into the standard desktop when replaced, which turns into a server or project computer when it get replaced, which gets donated to someone in need when it no longer serves its purpose. I also have a couple laptops for different needs, a nettop that I keep in my car at all times in case I need to use the web and a larger laptop for when I actually need to do work or in depth examinations of people's networks/computers or am just planning to be on it for more than 30 minutes at a time for example.
(if you can't tell, I'll reinstall the OS on my standard desktop and laptop based on my mood if I get bored one day, after about a year I itch to change something around and if I don't have a planned upgrade yet then I'll either do a fresh install of the OS to clean things up or I'll completely switch with OS it runs. Since I don't keep anything important on the standard desktop or my laptops it only takes about 30 mins to be up and running ready to go again since I don't need to back up or restore.)
The network setup also evolved, the wireless in one router died once but it had a gigabit switch built in and I had custom firmware in it nicely configured (unless you know what ports I have open, you won't know my IP exists, I don't reply to pings and if my router detects a port scan then it closes all ports and doesn't reply, about the only thing I can do to improve my security in that regard is to set it up so you have to port knock ) and I was feeling lazy and seemed like a waste to get rid of it completely, so I got a new wireless router and kept it mostly separate and secured, eventually I just re did the whole network to incorporate a dual-firewall setup as its main design
AV is definitely not the silver bullet the companies who produce it would have you believe but to espouse the "no need for AV at all" goes a little far in the other direction in my experience, especially nowadays when if you do get an infection it is much more likely to be sat very quietly keylogging and performing other bot tasks, which are harder to spot then the obvious DDOS "my computer just rolled over and tanked" symptoms in the past.
Relying on a single AV layer to completely protect your machine is daft but removing this retrospective inspection layer altogether from your machine is usually also daft, and the manual checks required to ensure your machine hasn't been rooted are usually more of a pain than just running an AV with a scheduled scan occasionally.
This is intended as more of a thought exercise to others thinking of trying this utopian AV free lifestyle, I know a few people who espouse it and in general it involves having to lock down your habits way more, stay permanently on guard, spend a lot of time fiddling and in the case of one of my friends losing around $1000 when your bank account gets emptied due to a very clever little trojan he picked up from work...
I agree, you have to be almost paranoid to do it really long term and that it isn't for everyone, but my mentality and habits already kind of fit that. I also hate banking online and only do online transactions with my credit card, if that information gets stolen then I don't have to pay for it unlike the bank account. As a side note I also don't use a credit card like most people do, I only spend what I can afford and have the card fully payed off by the end of the month so I don't have to pay interest, I think I missed doing that about once or twice only.
I agree that running AV isn't for everyone, but I still think that someone that groks computers can run for a while without AV, with the length based on how they use their computer and where they go. I view it kind of like some vaccinations; there are certain vaccinations you need to get if you travel to other countries and it is foolhardy not to do so, but if you stay at home all the time then there is little sense getting those vaccinations.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
I would however still use an AV inside your safe-haven, although from what you've said about the lengths you go to I doubt I'd bother setting it to real time and just run a scheduled scan instead - my main concern would be introducing a trojan via sneakernet or one of your travelling machines, zero day malware is a pain and it can be sometime before you know you've got it on a machine (or never if in the meantime you rebuild your traveller!); at least this way you're still getting a retrospective warning but you don't have to sacrifice massive amounts of performance as standard
Your setup admittedly sounds a lot better than my friends botched attempt at security by obscurity, incidentally he got owned by a lovely piece of malware which had injected itself into an .exe at work, it wasn't picked up by their AV (eTrust) and since he trusted the app he never thought twice...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
yeah, I have heard some horror stories about that, I basically made sure that the model I got was able to be unbricked if you botched a firmware and it still bugs me enough that I don't like doing it very frequently, though it is getting time to update it.... I used ddwrt and a really well supported router, it also helps that the router was a top of the line device and had a lot of the support built in.
I would however still use an AV inside your safe-haven, although from what you've said about the lengths you go to I doubt I'd bother setting it to real time and just run a scheduled scan instead - my main concern would be introducing a trojan via sneakernet or one of your travelling machines, zero day malware is a pain and it can be sometime before you know you've got it on a machine (or never if in the meantime you rebuild your traveller!); at least this way you're still getting a retrospective warning but you don't have to sacrifice massive amounts of performance as standard
I agree, if I were to try and infect my own network then sneakernet would be the way to go but I visit other people's houses a lot more often than they visit me, it also helps that a good section of them use Linux or are about as paranoid as me when it comes to security. If I found a virus on my laptop, which does have fully up-to-date protection then I would also scan my other systems of course, though I would probably use a bootable drive and do a full system scan rather than deal with the possibility that the virus would be resident in memory and very tenacious.
My main reason for not using AV on some computers is an effort analysis that I do. As long as I don't get infected, which my history has shown is unlikely, and the potential loss if I do get infected is low, (which on a desktop that I keep relatively empty and they can't get banking information from would be in my opinion) it is more effort for me to make sure my virus programs are up to date and not interfering with my other tasks the few times I use the computer and I am horrible at remembering to schedule tasks to do a regular scan. In fact, on most of the computers that I don't use AV on, it is less effort for me to just reinstall the OS than it is to try and fix the virus and make sure the traces are gone. so when I run unprotected it is mostly out of laziness
Your setup admittedly sounds a lot better than my friends botched attempt at security by obscurity, incidentally he got owned by a lovely piece of malware which had injected itself into an .exe at work, it wasn't picked up by their AV (eTrust) and since he trusted the app he never thought twice...
Thanks, my set-up grew very slowly over time as I kept learning more about computer security, it used to be my hobby and desired career path until I turned to programming and actually have a degree in it. I still keep relatively up to date on new techniques, but nowadays changes on my network happen because something annoys me and I am too lazy to fix it to where it was; the dual router is perfect example, I kept the old one because I didn't want to back up the config flash the new router then restore the config and it wasn't less secure to take this route, at the time I didn't care much that it was actually more secure. the only other time I made big changes is when I get bored and have something I want to try, like when I built my home-made PVR or re-organized my network so that the dual routers are actually part of the design.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
eh, oh well, found something funnier:
Is Windows a Virus?
No, Windows is not a virus. Here's what viruses do:
* They replicate quickly - okay, Windows does that.
* Viruses use up valuable system resources, slowing down the system as they do so - okay, Windows does that.
* Viruses will, from time to time, trash your hard disk - okay, Windows does that too.
* Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too.
* Viruses will occasionally make the user suspect their system is too slow (see 2) and the user will buy new hardware. Yup, that's with Windows, too.
Until now it seems Windows is a virus but there are fundamental differences:Viruses are well supported by their authors, are running on most systems, their program code is fast, compact and efficient and they tend to become more sophisticated as they mature.
So Windows is not a virus.
It's a bug.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
But yea. my AV was an Archlinux livecd. cleaned it up real good.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
My, how Deus Ex of you...
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
That kind of thinking, that open source isn't "good" for security purposes is complexity stupid when you realize that a majority of Firewalls in the world are Linux based. Or was I supposed to let you have your little fantasies that closed source is somehow more secure? Time has proven it is not. But maybe you have proof. Would love to see it.
[ link to this | view in chronology ]
Re: Re:
To boast right now that Linux is completely immune is just ignorant of the fact that virus authors are more interested in plaguing the MAJORITY of computer users (Microsoft has close to 90% of marketshare) not the 1%-2% of computer users (linux). In other words, your "immunity" is due to the fact that no one has spent the time or effort to try to create a virus for Linux because Linux is a small fish in a big pond (but parades itself as a big fish). Any OS is vulnerable if someone actually wants to exploit its vulnerabilities. No one honestly cares about exploiting Linux, not that it cannot be done. This goes for the MAC commercials that push no viruses (Apple only has less than 10% of the overall computer market share).
Get off your high horse and make logical sense. If the market share ever suddenly shifted to another OS other than Microsoft, expect that OS to get plagued with all kinds of viruses just like Microsoft.
[ link to this | view in chronology ]
Re:
Maybe you dont either
[ link to this | view in chronology ]
Danger Will Robinson
-- Sounds like spyware to me
"it's going to simply use the virus definitions found in those other products installed on people's computers"
-- Wont this get them in trouble for copyright ?
[ link to this | view in chronology ]
Its still not going to work
Also, there is no such things as "safe sites" anymore. Look through the Register archives and you'll see Malware has been pushed out via DoubleClick and others to legit Web servers.
I've been working a lot with application white listing over the last few years and I'm convinced it is the way to move forward. I have clients with thousands of nodes that see a zero infection rate. Doubt any AV vendor can claim that.
I have a few write ups here if anyone is interested:
http://www.chrisbrenton.org/?s=malware
[ link to this | view in chronology ]
Actually on topic (for a change)
initially it goes to a very simple website which only seems to have 2 or 3 pages and errors with IE6 (yeah tell the company I work for not me), the website is singularly odd and a picture of the corporate office in low res on the contact page which seems to display a Starbucks is an additional odd choice
So so far no joy
The various articles from around the globe are all very obviously based on the same press release which must have come out on the 19th given they all date from around the same time, having worked for a marketing company I know how many people will just verbatim quote any crap in a press release just to fill up space
So still looking dodgy
The technical description of how the product works on the site is basically like Mike states, lacking any real meat but a description at http://www.dintz.com/immunet-kicks-off-cloud-based-antivirus-protection/ goes a little further
NOTE: The following is my take on how it works it may be complete bollox
Basically it sounds like the AV is only scanning files as they are executed (fair enough since that's when they usually enter memory - usually), it checks them real-time against the signature in the cloud, if the file is found to be bad it stops them executing. If the file is not in the cloud signature but one of the AVs on the machine detects it as being so then this is added to the engine
Immunet mention that once new baddies are found and confirmed they are added to the cloud engine, although there's no real information about how or who decides that files really are bad
Additionally you are supposed to be able to add your friends and facebook contacts to your profile and somehow share your detections with them, since my friends and family consist mainly of people who still send me the "Olympic torch WORST EVER!!! virus" hoax emails I'm not sure why I'd want to do that but never mind
The only thing that makes me think this isn't some sort of hoax and just a very clever way of sending around yet another hoax security application is that it's CEO is Oliver Fredrichs who used to work for both Security Focus and Symantec and as far as I know has a relatively good name (I couldn't find any dirt anyway) - since security focus are one of the sites reviewing this I am guessing they have confirmed it really is him
The only thing I can see that they have changed here is the concept that the signature is kept in the cloud which will mean it is always as up to date as possible as opposed to being a day out with conventional methods, and presumably means less local CPU time is absorbed scanning; that and they seem to have set up a system which will copy detections from other anti viruses, I haven't got a clue what the facebook thing is about and in all honesty hope this is just some sort of cheesy gimmick rather than something the system actually relies on
So what happens when you disconnect from the cloud, lose your internet connection, other AV companies start altering their software to hide their detections, or your mum clicks 'accept' to some dodgy piece of malware I have no idea
Something to watch with one eye for the time being but I think I'll avoid it till there’s more technical information on exactly how much information it is moving around the cloud amongst other things
Watch it be fabulous now!
[ link to this | view in chronology ]
Re: Actually on topic (for a change)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
mini exercise bike
[ link to this | view in chronology ]