[VB] Why 'in-the-cloud' scanning is not a solution
"In-the-cloud (클라우드 Anti-Virus)스캐닝은 AV 업계의 새로운 대안이 될 수 없다"
라는 주제로 2009년 Virus Bulletin Conference 에서 발표 예정입니다.
아무래도 오진과 보안성 부분, 불확실한 사전 대응에 대한 우려가 크게 작용되는 부분이 아닐까 싶습니다.
Maik Morgenstern AV-test
Andreas Marx AV-test
Currently, 'in the cloud' services are praised as the Holy Grail and the future of AV scanning. While such systems, built on both blacklisting and whitelisting approaches, can definitely increase detection rates and response times to new malware, this paper will show that current systems still have quite a lot of limitations:
- The implementations are not proactive, but reactive in nature, despite better response times to new threats.
- While detection rates are maximized (which looks good in test results), the risk of false positives is increased.
- The results of 'in-the-cloud' scanning can be based on much more input data of both good and malicious files, but causes an additional performance impact on the client-, network- and server-side.
- Due to the time required to answer a query, only on-demand scanners and files which are executed are checked, but not all accessed files (as a 'traditional' on-access guard would work).
Our paper will also look at factors such as the limited caching of results, how data is transferred (e.g. via http, https or dns requests) as well as the privacy (e.g. what kind of data is submitted?), security (e.g. can responses be manipulated?), reliability and fault tolerance (e.g. what happens with a broken Internet connection?) issues of today's 'in-the-cloud' implementations by the different AV companies.