Arguments against cloud-based antivirus

With any advance in science and technology there will always be critics and people oppossed to change. This has happened over and over again in the course of history. Antivirus is no different. We saw resistance when we released behavioral analysis in 2004 (which is mainstream technology nowadays) and we have seen it recently with the release of Panda Cloud Antivirus.

In this post I have compiled a list of all arguments against cloud-based antivirus that I was able to find. Let us review these arguments against cloud-based antivirus and see why they are based on either misconceptions or simple lack of understanding and knowledge of how this technology works.

A malware could cripple the Internet connection and render the cloud antivirus useless
Exactly the same thing could happen to the traditional signature based antivirus. If a malware gets through the traditional signature defenses and manages to disable your Internet connection, you will not be able to get signature updates from your AV vendor and therefore will not be protected against the new malware variants, rendering your traditional AV just as useless.

A cloud-based antivirus needs to check everything against the cloud. Takes more time
Actually not everything is checked against the cloud. At least with Panda’s implementation of cloud-scanning there are locally installed technologies (heuristics, cache of cloud-detection, goodware cache, etc.) that are able to detect a good deal of malware threats and known good files. All these files are not checked against the cloud. Think about it, once you install the cloud-based antivirus, how many new programs do you install on your computer every day? Not that many, right? Once installed, only new programs copied or trying to run on your computer are checked against the cloud (if they are not detected first by the local technologies). From our beta testing phase we have seen that on average Panda Cloud Antivirus only consumes a few KB of bandwidth per day, less than the typical traditional signature updates.

It is an invasion of privacy. I do not want my files & documents to leave my computer
This is one of the most common misconceptions, maybe due to some weak implementations of cloud-scanning by some vendors. At least in Panda’s implementation of cloud-scanning when a file is “scanned by the cloud” it doesn’t actually leave your computer, it is not uploaded to our Collective Intelligence servers. What really happens is that Panda Cloud Antivirus creates a really small reverse signature of the file and the signature is what gets checked against the cloud. Also cloud-scanning is only implemented to Portable Executable (PE) files, so your Word/Excel documents, etc. are not checked against the cloud. There is one scenario with PE files where, if it is flagged as suspicious and Collective Intelligence doesn’t already have a copy of the file, then the file is uploaded for further analysis. But even then people can opt-out of participating in the community by simply un-checking this option in the product.

Cloud-based antivirus do not protect while offline
While this might be true of some cloud-based antivirus implementations, in the case of Panda Cloud Antivirus it is not true. Panda Cloud Antivirus has a local cached copy of the Collective Intelligence cloud servers. This local cache is tasked with detecting (even while not connected to the Internet) malware that is in the wild, non-PE malware and other threats. Unlike traditional signature updates, this local cache update is a “moving target” of what the community sees as circulating out there in the wild. Therefore it is able to efficiently protect against the important threats. This local cache does not protect against Win98 or DOS viruses or even malware that is dead or not circulating anymore. That is why the community aspect of Panda Cloud Antivirus is so important as, the more people use it, the better protection it offers.
UPDATE: Panda Cloud Antivirus 1.1 includes 4 additional new layers of offline protection: 2 behavioural engines (blocking & runtime analysis), autorun disabling and USB vaccination.

So that means that it provides lower protection while offline
First let’s take a look at the practical aspect: after running the beta and release of Panda Cloud Antivirus for over 7 months with millions of users, we have not had a single recorded incident of an infected user while not connected to the Internet. There’s a common misconception that protection = detection rates of millions of samples as tested by magazines. This is not really true as those tests include malware that is dead, not circulating anymore or even does not work on your operating system (like old DOS/Win98 viruses). If we define protection as stopping real-life malware that is circulating then the offline protection that is offered by Panda Cloud Antivirus is more than enough.

So if I have some old malware and disconnect from the Internet, can I infect myself?
Yes of course. You can also take a stroll down the worse neighborhood of your city sprouting a gold watch and necklaces and there’s a pretty good chance you will be (at least) mugged. Or you can just drive off a 200 meter cliff hoping your seatbelt and airbag will be enough to save your life. Panda Cloud Antivirus was designed for real people and real-life use. With that in mind you won’t have to worry about these highly unlikely scenarios during your normal computing experience.

I’m worried about latency and response time
This a very valid worry with regards to an AV whose real-time monitor (on-access scanner) works in a synchronous mode against the cloud. Currently we have two “timeouts” in the product, a first one to notify the user of problems with latency and a second one for blocking the execution altogether if no answer is received. However from our measurements these last months in over 98% of the cases the response time of the on-access scanner is below a second. Keep in mind that only a few bytes are sent back and forth when a file is queried, so the real impact is really low.

Cloud-scanning is just the latest marketing buzzword
It seems it is becoming much more a buzzword. But it doesn’t mean there is not benefit behind it. Many different products (not only security-related) are migrating their “intelligence” to the cloud and leaving behind those old, overloaded, slow applications in exchange of faster, always up-to-date clients. There is a clear benefit not only from the perspective of developers who are much less constrained by the limitations of a single PC, but also from the point of view of the user who gets an improved computing experience without all the negative aspects of resource consumption of his/her PC.

Cloud-scanning is just a way for AV vendors to lower their cost of downloading signatures
Yeah right, you should talk to our CFO about this (he stands out as the only one with grey hairs because of how expensive this whole thing has been 🙂 ). Seriously, it would have been waaaaay cheaper to stick to the existing traditional signature download infrastructure approach than to set-up an additional multi-million infrastructure just for cloud-scanning. Not only is there the initial investment but also the continuous maintenance. And of course this does not take into consideration the additional investment in development and QA that’s also needed to develop and maintain this technology in the products.

Cloud-scanning is only good as a second opinion
This might have been true of the first cloud implementations a couple of years ago (online scanner, the first cloud-only products, etc.) but it is not true anymore. At least with Panda’s implementation, Panda Cloud Antivirus is a full replacement of a traditional AV. Panda Cloud Antivirus has the best of both worlds; it includes local protection for offline and the most effective protection while online. While some vendors are adding some cloud-scanning abilities to their existing products’ (as an additional technology in the mix of different technologies), Panda Cloud Antivirus has been developed from scratch to work in real-time in synchronous mode against the cloud. It has been proven as an effective replacement of traditional signature approach.

If you can think of any other argument against this type of technology feel free to let us know! 🙂

Related News

5 Responses

Leave a Reply
  1. Jonny
    Dec 03, 2009 - 12:54 PM

    Really well thought out article, I still believe that the crippling by disabling the internet still holds, as if the cloud av blocks malware because it isn’t sure then the user may just install / run the malware anyway.
    But I agree that this would happen if a user hadn’t got the latest traditional definintions anyway.
    At the moment av vendors like yourselves are fighting to come up with the best solutions, be it whitelisting, blacklisting, heuristics, behavioural or cloud. I believe a combo to be best personally.

  2. jon
    Dec 07, 2009 - 11:38 PM

    i think cloud antivirus is the the best becuase everyone is connected to the cloud the response time is faster and there is more malware is seen and more malware behavior seen with the cloud

    so if you have a undetected malware infection that is spreading fast. The cloud can analyze it quicker and make a signature to protect everyone connected to the cloud

    signature antivirus can’t keep up anymore so thats were cloud antivirus fills the gap

    keeps safe

  3. Paulo
    Jan 03, 2010 - 03:45 AM

    If someone who don’t know a lot about this is ok, but I know about this things (no, I don’t work for other antivirus companies) and I’m not agree with you, first “A malware could cripple the Internet connection and render the cloud antivirus useless” ok, an AV without internet is something bad, but a Cloud AV… I think that a normal AV will work better because it will have more signatures in its database than Cloud AV.

    Second, “So that means that it provides lower protection while offline” and “So if I have some old malware and disconnect from the Internet, can I infect myself?” YOU ARE A SERIOUS COMPAÑY, what are you saying!, your duty is protect the user against all threats even DOS, MS-DOS is almost nothing in Vista and 7, but it can create a lot of problems. Old viruses also exist and can infect the PCs. Also your comparison with the watch and the car is … what can I say?, stupid, the probabilities of Cloud AV is much biger than the watch. If you really want the people trust you? please, don’t say that.

    “Cloud-scanning is just the latest marketing buzzword” Yes there are benefits, I think this is something good, but now it’s a litle dangerous to trust only in this tecnology (now, in the future is other thing), but if I have an old machine (with a low RAM, etc) if I have to chose between ClamWin and your Cloud AV, I will chose your Cloud AV.

    I think the same as Jonny, a combo, but with more heuristic and behavioural than blacklisting.
    Other thing I think is that in the future (2011-2012) the other companies will use this technology as help to the other technologies, and I think that is the way, good work PANDA by thinking this and making a good job (you are not the first with the cloud idea, but your idea is better than the others).

    Well, thats all.
    PD: Sorry by my bad english.

    From Ecuador (look at the map! xD).

  4. Pedro Bustamante
    Jan 04, 2010 - 06:43 AM

    @Paulo I don’t understand your position Paulo. If your machine is Vista or Windows7, why do you care if your AV detects a DOS virus that has not been circulating for about 10 years and that, even in the highly unlikely event that you received it via email spam or some other way, the virus couldn’t even run on your Vista/W7 machine?

  5. Melvin
    Feb 02, 2010 - 02:28 PM

    If the cloud av has a backup like truprevent then it would be perfect, light and proactive.


Leave a Reply

Your email address will not be published. Required fields are marked *