Advantages of cloud antivirus:
- Short time between the discovery of new malware and ability to remove it on client's computer.
- Low system resources (at least all cloud av vendors are advertising this and given my understanding of the technology this can be true)
Disadvantages:
- The client needs to communicate with the server. (see Bohu Trojan towards the end of this post)
- Data is collected from users and this generates privacy concerns although all vendors reassure that no private data is collected.
Ayanami already gave an excellent answer
above. The following is just my limited understanding of the technology...
Traditionally, making a virus signature implies finding some working samples, reverse-engineering them, determining a piece of code that is particular only to those samples and can be used to identify them (or at least that's how I understand the technology). This evidently takes a considerable amount of time to make just one signature. The cloud is used as a way to shorten the time between the discovery of a new malware threat and the ability to detect and remove it on client computers. When thinking about cloud antivirus we also need to understand that it is not practical to send every file on a client's computer in the cloud and scan it there, it will be a slow process even on excellent Internet connections. Instead the client is sending threat data to the server for analysis. Threat data could be for instance a hash of your file. A hash can be seen as a fingerprint of your file but it is important to know that modifying a single meaningless/small portion of your file the obtained hash is totally different. Therefore hash-based detection can be easily avoided by file modification. Luckily threat data can also be behavioral analysis. Malware usually share some characteristics like origin, lack of uninstall abilities, no visible window or tray icon, imitation of trusted process names, compression and encryption, ability to autostart, etc. and as mentioned earlier all this data is sent to the cloud. Anyway, the result from the could could be that the file is safe, malicious or unknown. In the case of an unknown file most cloud based solutions take the opportunity to collect the sample and this leads to another important function - collective intelligence. Data (samples, behavioral patterns) is collected mainly (I suppose) from the community of users and stored in the cloud. This means that the more users it has the better a cloud av can be. This also raises privacy concerns as mentioned in the beginning. This data is processed automatically (although I assume that in some cases a deeper analysis done by specialists can be done). The ability to automatically analyze data and accurately determine if a file is malicious is what differentiates a good cloud solution from a bad one. This seems to be a complex process that is still evolving.
As mentioned the main disadvantage of a cloud antivirus is that the client needs to communicate with the server. And the
Bohu Trojan is an excellent example of how a cloud av can be seriously damaged. The trojan intercept the packets that the client sends to the cloud severely lowering a cloud-based antivirus ability to detect anything. (See
this post from Microsoft Malware Protection Center).
In conclusion using only cloud based technology to detect malware is not a viable option at the moment. Sure, most cloud av products include some offline protection as well but at this point I think (personal opinion) that their focus was on the cloud technology for a long time and they can't provide the same level of protection as traditional av-s while offline (or affected by a malware similar to Bohu).
I personally prefer products that started as traditional av-s and added a cloud component in the mix.
