Emsisoft article: Cloud anti-virus - what is it all about?

  • 20 November 2012
  • 2 replies
  • 1446 views

Userlevel 5
  • Community Guide
  • 165 replies
Emsisoft have published an article - www.emsisoft.com/en/kb/articles/tec121119/ - which admittedly points users to their product, but there is a paragraph worth discussing from Webroot's perspective, namely this:
 
"A regular PC hosts 300,000 to 500,000 files on average. If all these were scanned, uploading the signatures created on the fly to the scan server would take forever.
 
This is exactly why cloud anti-virus software filters the files to be scanned in the first place according to different rules and parameters. For instance, there are some file types or paths that are generally considered safe. Many cloud anti-virus solutions therefore come with huge whitelists. These are sort of inverse signatures that classify known programs as safe. This massively reduces the number of files to be scanned – even though more data needs to be downloaded to your PC.
 
This incomplete scan is, however, the Achilles heel of this technology. If not all of the files are properly scanned there are always gaps that malware can use, whether these are as yet unused paths or a file type that has been considered safe until now."
 
We know WSA doesn't scan all areas at its default setting so what would their response be to the above statement?
 
Edit: fixed link

2 replies

Userlevel 7
TripleHelix nailed it.  The Journaling and Rollback present in WSA protects against potentially bad, Unknown files.  Journaling and Rollback are explained very well in this video:
 

 
They also said "This massively reduces the number of files to be scanned – even though more data needs to be downloaded to your PC."  With journaling and rollback, the most data that needs to be sent from the cloud to the agent is a 32-character MD5 and a few bits of data that say "This is bad."  Then the agent deals with it.  There is no additional data being sent to the computer from the cloud.
 
And they also talk about whitelisting entire paths and file types.  We don't whitelist paths.  That's generally a bad practice.  All it would take is for a virus that drops itself into a random directory and happens to land in one that's not monitored for an infection to not get caught. 
 
We also don't whitelist file types, though we do ignore certain kind of files by default that are not going to run.  You can't execute a picture, so it can't run malicious code.  So do we scan pictures by default?  No.  Likewise, if we judge anything to be incapable of being executed or being likely to be executed, a default scan won't pick those up.  However, if it does in fact execute, the shields pick it up anyway. 
 
There is no fundamental difference between an execution shield and a scan in terms of how WSA protects you except for the timing.  Scans are pro-active and shields are real-time.  The Journaling and Rollback feature is retroactive, for 'just in case' situations.  This combination allows for 100% protection and incredible efficiency.
Userlevel 7
Badge +56
I have read this article at Wilders and agree with some of it but not in the case of Webroot SecureAnywhere not when it comes down to 50,000+++ new malware everyday and only a full cloud anti-malware can keep up with this Increasing Amount of Threat's. I was a long time user of Prevx the FIRST full cloud anti-malware since 2004 and they were already pointing to the future, now with Webroot having the Prevx technology and building greatly upon it in the past 2 years so IMO Webroot does not have this Achilles heel what so ever in the way it treats unknown files by setting them as untrusted and limiting what the file does on the system and if the cloud determines to be bad it can rollback to the state before the infection or if it was determine to be good then it sets it to allow and stops recording the effects on the system. But the best part is that no AV will detect 100% of all malware and the rollback feature is that extra layer of protection online or offline and in the unlikely event that WSA can't clean the infection support will with there Expert Malware Removers and for free!
 
TH

Reply