Battle Cloud vs. Signature Based Anti-Virus

[Malware Maniac]

Since I placed a post in Panda Cloud Pro vs Trend Micro stating

I would say Panda Cloud Free. But I'm not a fan on cloud AVs because without Internet then you only have the user interface.

people have been responding like this.

Well you have the other features, but they won't work correctly. That is what every AV company I think is going to do in the future.

and

Umbra I agree with Malware Maniac. It just has a cached copy of few important signatures. Suppose when I am offline I plug a USB with some old threats I am at the danger of getting infected.

So here is the question. Do you prefer a Signature based AV or a Cloud based AV?

 

[windowsdefender]

I prefer conventional AV for the sole reason that the speed on conventional AVs is faster. Also I can use it with out it being connectd to the internet.

 

[MrXidus]

Too hard to choice from, Both have there pros & cons.

I would just choice an antivirus that has both signatures and cloud such as Avast! Free.

 

[Plexx]

Too hard to choice from, Both have there pros & cons.

I would just choice an antivirus that has both signatures and cloud such as Avast! Free.

Totally agree here with MrXidus. Why choose one of each when you can have the best of both worlds?

 

[Ayanami]

Until now , no product relies on cloud/server completely ,however it is also difficult to find out a product only use Signature Based technology nowadays among so -called big vendors on market (or more exactly,rely on local based technology like heuristic ,behaviour blocker,HIPS,firewall solely )

In my opinion ,there are 3 different ways on using cloud technology.Some vendors do have put their emphasis on it.For example, Trend micro(smart protection network),Symantec(File Reputation,SONAR...),Panda(Collective Intelligence),WEBROOT（you can call it Prevx4）...Some vendors use cloud as another layer protection,such as Kaspersky (kaspersky security network),ESET,AVAST,Avira(protection cloud beta,maybe it will integrate into AV in the future). Some vendor like microsoft(spy net),Ikarus(signature quality assurance programme),Emsisoft(anti malware network?) etc only use cloud as another method to collect information about unknow binary or something else from client with your permission(read EULA carefully they have mentioned that)

another thing I have to mention is even some local based technology nowadays also connect to cloud to determine what to do next by default .For example, DeepGuard from F Secure, IDP from AVG, Auto sandbox from AVAST , HIPS by COMODO (comodo will trust certain file with digital signature automatically),Firewall by Zonealarm(DefenseNet service)

LOL：） you can see cloud everywhere now. So the last thing I want to say is if you concern about privacy and do not trust privacy statment from vendors. Anti virus product nowadays is not a good choice for you .Maybe sandboxie ,applocker, or something else is better.

 

[WinAndLinuxTutorials]

I would choose a signature based one. They work well when online or offline. But it's annoying when you download that first, huge definition update.

 

[bogdan]

Advantages of cloud antivirus:

• Short time between the discovery of new malware and ability to remove it on client's computer.
• Low system resources (at least all cloud av vendors are advertising this and given my understanding of the technology this can be true)

Disadvantages:

• The client needs to communicate with the server. (see Bohu Trojan towards the end of this post)
• Data is collected from users and this generates privacy concerns although all vendors reassure that no private data is collected.

Ayanami already gave an excellent answer above. The following is just my limited understanding of the technology...

Traditionally, making a virus signature implies finding some working samples, reverse-engineering them, determining a piece of code that is particular only to those samples and can be used to identify them (or at least that's how I understand the technology). This evidently takes a considerable amount of time to make just one signature. The cloud is used as a way to shorten the time between the discovery of a new malware threat and the ability to detect and remove it on client computers. When thinking about cloud antivirus we also need to understand that it is not practical to send every file on a client's computer in the cloud and scan it there, it will be a slow process even on excellent Internet connections. Instead the client is sending threat data to the server for analysis. Threat data could be for instance a hash of your file. A hash can be seen as a fingerprint of your file but it is important to know that modifying a single meaningless/small portion of your file the obtained hash is totally different. Therefore hash-based detection can be easily avoided by file modification. Luckily threat data can also be behavioral analysis. Malware usually share some characteristics like origin, lack of uninstall abilities, no visible window or tray icon, imitation of trusted process names, compression and encryption, ability to autostart, etc. and as mentioned earlier all this data is sent to the cloud. Anyway, the result from the could could be that the file is safe, malicious or unknown. In the case of an unknown file most cloud based solutions take the opportunity to collect the sample and this leads to another important function - collective intelligence. Data (samples, behavioral patterns) is collected mainly (I suppose) from the community of users and stored in the cloud. This means that the more users it has the better a cloud av can be. This also raises privacy concerns as mentioned in the beginning. This data is processed automatically (although I assume that in some cases a deeper analysis done by specialists can be done). The ability to automatically analyze data and accurately determine if a file is malicious is what differentiates a good cloud solution from a bad one. This seems to be a complex process that is still evolving.

As mentioned the main disadvantage of a cloud antivirus is that the client needs to communicate with the server. And the Bohu Trojan is an excellent example of how a cloud av can be seriously damaged. The trojan intercept the packets that the client sends to the cloud severely lowering a cloud-based antivirus ability to detect anything. (See this post from Microsoft Malware Protection Center).

In conclusion using only cloud based technology to detect malware is not a viable option at the moment. Sure, most cloud av products include some offline protection as well but at this point I think (personal opinion) that their focus was on the cloud technology for a long time and they can't provide the same level of protection as traditional av-s while offline (or affected by a malware similar to Bohu). I personally prefer products that started as traditional av-s and added a cloud component in the mix.

 

[McLovin]

There's good things and bad things for both. Cloud AV becuase it's lighter on the system, and does all it's scanning up in the cloud, compared all signature based AVs that do it from the program itself. Also have a computer for instance that is not connected to the internet, and they are on a network that is connected to the internet, (all they are used for is to be used as a storage computer) they will need something because if not you will see them getting infected as well, they will need an AV but having cloud won't work to it's full capabilities, compared to signature based AVs. So it's a much of a much-ness, they both are good.

I would go for Cloud because I'm always connected to the net and can not live without it, but if I had no internet and had it once a week then I would go for the standed AVs. Plus I like it that cloud AV's don't put a big hog on your systems resources.

 

[jamescv7]

The good thing for Cloud is that everything were in realtime time to time thus FP rates may generally low due to the files and used by the community itself and since this update could not feel by the users as just an connectivity needed either slow or fast.

Most viruses were targeted on the lock down of internet thus you need a storage of definition signatures in order to detect and remove.

These days both functions were already on the flagship products thus both were really needed to prevent viruses.

One of them can help a lot when the other one is dead. (Vice Versa itself)

 

[Spirit]

I would prefer signature based av but with time everything is change and now the time demands cloud av so i am with cloud av now.
You have to change with time otherwise............

 

[malbky]

I choose a hybrid one having Cloud as well as Offline signature based detections.

 

[jota13]

I think signature AV are better than cloud based AV. I more trust typical antivirus with virus signature.

 

[malwarekiller]

Yep! i will prefer a AV having cloud as well as good signatures such as Avast! and CIS.

 

[Viking]

If there was an option C, I would choose Both. I chose Signature.

 

[Tobi]

[*]Data is collected from users and this generates privacy concerns although all vendors reassure that no private data is collected.[/list]

Data is not collected by Panda. It doesn't upload the files, documents, etc., to the cloud but instead creates a reverse signature of the file and the signature is what gets checked against the cloud.

As for scanning itself, everything is NOT scanned in the cloud (at least for Panda). I suggest most of you guys to read this article: http://research.pandasecurity.com/arguments-against-cloud-based-antivirus/

 

[notorious_rn]

still signature for me, in event that i lost internet connection at least i got the latest signature on my AV product to keep my computer safe for a time being....

if both world is being use for Av products will that would be nice....

 

[MDRockstar]

If a malware gets through the traditional signature defenses and manages to disable your Internet connection, you will not be able to get signature updates from your AV vendor and therefore will not be protected against the new malware variants, rendering your traditional AV just as useless.

 

[sahilwaste]

i think a hybrid like Avast! is a smarter choice.