Home / Blogs

Taking the Leap to Cloud-Based Malware Inspection

Is desktop anti-virus dead? Someday I’d love to make that announcement, but it still feels to me that there’s a Patron Saint of Voodoo with an affinity for bringing it back to life—like some macabre mirror image of the malicious zombies it’s supposed to provide protection against.

It’s kind of ironic that today’s innovation in desktop anti-virus isn’t really happening at the desktop; rather it’s occurring in the cloud. Today, the best performing desktop anti-virus products pass copies of suspicious files and URL’s up to their vendors cloud for detailed analysis and, in response, down comes a diagnostic of the file that was analyzed. Several vendors have been doing this for a number of years, but have only recently been promoting the “cloud” part. Apparently people are more comfortable with the cloud nowadays—go figure.

What advantages are there to using the “cloud” for anti-virus protection? Here are just a few that I’ve pulled from various literature I happened to come across:

  • Scalability – the ability to keep pace with the ever-increasing volume of new malware.
  • Efficiency – instead of analyzing the same piece of malware on ten thousand desktop computers, why not do it just once?
  • Improved engines – there’s only so much technology you can push down to a desktop. Advanced malware detection needs sophisticated automated analysis and dissection technologies that are too big to run side-by-side with Microsoft Excel.
  • Global visibility – there are numerous advantages in being able to see a new piece of malware early on in its lifecycle. Having thousands or millions of “sensors” (i.e. customer deployments) means that there’s a steady flood of timely material to analyze.
  • Zero-day detection – the ability to employ sophisticated analysis engines that specialize in “edge case” malware detection makes it easier to spot those real zero-day threats.

Hidden within these anti-malware analysis clouds lie each vendor’s latest innovations. That said, at the end of the day we’re still talking about desktop anti-virus as a protection platform—with a software component installed upon the customer’s (aka “victims”) computer—which is worth a gripe all of its own. In a nutshell though, desktop anti-virus suffers from three critical problems:

  1. Desktop anti-virus runs upon a desktop operating system, side by side other applications. There are too many ways in which the attacker can inject their malware onto the victim’s computer and slip under the anti-virus product’s protective gaze.
  2. The bad guys have access to all these products and simply QA their latest malware samples to ensure that it evades. The malware they send out has already been proven to evade detection.
  3. If the bad guys have physical access to your protection technology, they’ll always be able to subvert and evade it.

An obvious remedy to these problems is to remove the protection elements from the bad guys grasp. In particular, move it off the desktop.

Despite the obvious advantages of using the cloud for malware analysis, I find it stupefying that some folks have only taken a half-way step in moving off the desktop and onto a dedicated network appliance—without making the logical leap to cloud-based malware analysis.

To be sure, there are a lot of products on the market that specialize in in-situ automated malware analysis. Earlier this year I discussed the canned sandboxing techniques that various vendors supply and a more detailed side-by-side comparison of the various Next Generation Anti-Virus [PDF] products. But, at the end of the day, why oh why would you want to run poisonous, evasive and downright dangerous criminal (and state-sponsored) malware inside your own organization’s network? It’s like setting off fireworks while you’re still indoors!

Luckily, over the last couple of weeks though there’s been substantial advancement in this area. Multiple security vendors are now adding advanced cloud-based malware analysis and disassembly to their network protection platforms. Basically augmenting their in-situ network detection systems with real-time advanced malware analysis—and doing it in such a way that it’ll scale with the threat, provide the highest detection and analysis capabilities, and do it all without increasing the appliance cost.

Last week Palo Alto Networks (PAN) announced their new WildFire cloud-based anti-malware defenses, and this week Damballa launched their free (included in the latest release of Damballa Failsafe) cloud-based malware analysis platform. (Disclaimer: I am employed by Damballa, Inc.) I’m sure that there will be a handful of additional announcements from other vendors over the next few months.

While cloud-based malware analysis is obviously the way to go in dealing the advanced (and advancing) nature of the threat, I think there are still a bundle of questions that the industry will need to somehow figure out how to answer. In particular, as with most things “cloud”, it’s often a little foggy as to what’s going on behind the scenes.

A key question going forward is going to relate to the apples-to-apples comparisons between the various cloud-based malware analysis platforms and their capabilities in identifying and dissecting the latest threat advances. I suspect that vendors are going to have to open the kimono a little more—perhaps providing insight in to what overriding technologies they employ (e.g. virtual machines, emulators, bare-metal, KVM automation, etc.) when executing their malware analysis and maybe even the pedigree of the folks tasked with supporting and innovating within that cloud framework.

In the future, customers are going to have to figure out which anti-malware cloud is better than the other. In the meantime though, it would appear that Next Generation Anti-Virus is finally proceeding down a path that actually makes an impact on malware-based cybercrime and targeted attacks.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


There's an obvious threat here that worms like conficker have long been aware of Suresh Ramasubramanian  –  Nov 16, 2011 10:35 AM

Conficker was quite good at blocking off user access to various update and AV services, so the CWG’s eye chart was a rather interesting way for a user to know he had conficker.

Now, you speak about moving most if not all the protection logic onto the cloud.  So - what about users whose internet connectivity is disrupted, either by heavy outbound traffic from a spambot that maxes out his pipe, or by deliberate action taken by the bot to firewall off security vendor IP space ..

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Brand Protection

Sponsored byCSC