Is Cloud Anti-Virus ready for the mass market?
I have been attending the Virus Bulletin conference in Geneva Switzerland for the first time this year. This morning I watched Andreas Marx and Maik Morgenstern of av-test.org deliver a talk entitled "Why 'In-The-Cloud' Scanning is not a Solution"
They presented their results of some in-depth testing of anti-virus solutions using the cloud as a supplemental method to deliver malware identities. What did they find?
Overall they determined that solutions using "in-the-cloud" services were no more effective than traditional anti-virus solutions. They also noted that the results they have seen from the vendors they tested are wildly unpredictable as to what to expect from one threat to the next.
One of the points made by Andreas really hit home for me, which is that the ability to publish identities seems to be the gating factor in providing up to the moment protection. The delivery mechanism is largely unimportant if you have a reliable means of providing threat data to the product.
In their paper, they also mention that on-computer anti-virus has far more capabilities for detecting new malware than simple file checksums. Today's cloud-based services rely on checksums which are not equipped to deal with server-side polymorphic malware.
Andreas had pointed out that there were inconsistencies with results from some vendors. He showed how one vendor showed a file as being suspicious via its cloud service, then it was safe later that day, and finally marked malicious that evening. During the question and answer period, Dmitry Gryaznov had some clarifications to this slide from McAfee's perspective. Confusingly, Dmitry seemed to confirm that this was in fact true.
Another issue raised in the talk was around network impact, especially in organizations with a large concentration of computers. Not just malicious files are being checksummed and sent into the cloud, many legitimate files may trigger the technology as well. In their paper, they point out that these transactions can be 5K bytes or more, resulting in a potentially significant amount of bandwidth in a organization with network capacity issues.
Unless I misunderstood, this rush to identify checksums and publish them as suspicious and revoke them later seems to imply that there could be a high false-positive, or false-negative problem. Andreas and Maik touched on their concerns related to quality assurance processes as well.
The conclusion of the tests performed reinforced my existing thoughts on providing best protection to our customers computers. Provide quality updates as fast as you can. The means of delivery are not important so long as the computers receive their identities.
Sophos has used "the cloud" in our anti-spam solutions for several years, and like any other technology will carefully consider which tool provides the best protection for our customers in each scenario we provide solutions to.
我一直参加在瑞士日内瓦的病毒公报,今年第一次会议。 今天上午我看了安德烈亚斯马克思和门将的影音摩根斯坦- test.org交付的这篇题为“为什么'在,在,云'扫描不是一个解决方案”
他们提出了一些它们的结果进行深入测试的反病毒解决方案作为一种补充方式提供的恶意软件特征云。 他们发现了什么?
整体解决方案,他们决定使用“中,对云”服务不超过传统的防病毒解决方案有效。 他们还指出,他们从他们测试的厂商看到的结果是什么疯狂,以期望从一个威胁到下一个不可预测的。
由安德烈提出的意见,真打我的家,就是来发布身份似乎提供了保护的时刻浇注因素。 交付机制主要是不重要的,如果你有威胁的数据,提供对产品的一种可靠手段。
在他们的论文,他们还提到,在计算机反病毒检测不是简单的文件校验和新的恶意软件更为能力。 今天的云为基础的服务依赖于这些不具备处理服务器端多态性恶意软件校验。
安德烈曾指出,有一些厂商从结果不一致。 他展示了如何一个供应商表现出可疑的文件被通过其云服务,那么它是安全的当天晚些时候,终于在当晚明显恶意。 在答问时间,有一些德米特里格里亚兹诺夫这个来自McAfee的角度幻灯片澄清。 容易混淆的,德米特里似乎证实了这一事实的事。
会谈中提出的另一个问题是围绕网络的影响,特别是在组织,大量的计算机集中。 不只是恶意的文件正在校验和并云发送,许多合法的文件可能引发的技术。 在他们的论文中,他们指出,这些交易能够5K字节或更多,在潜在的带宽造成大量与网络容量问题的组织。
如果我误解了,这急于确定校验和公布可疑并撤销他们后来似乎暗示,有可能是一个高假阳性或假阴性的问题。 安德烈和门将有关质量保证他们的关注感动进程以及。
这次测试的结论进行加固提供最好的保护客户现有的计算机的想法。 提供优质的更新速度可以。 运载工具的并不重要,只要在电脑上接收他们的身份。
Sophos公司以“在我们的反云”在过去数年垃圾邮件解决方案,以及任何其他技术一样会仔细考虑哪些工具,提供了最好的为我们的客户在每个场景中,我们提供解决方案的保护。
|
发表于 2009-10-4 15:40:34
楼主
多年了
淡定淡定~
发表于 2009-10-4 17:13:30
