» Full Story on Forbes.com
09.22.08, 6:00 AM ET
To fight an epidemic of malicious code, security software vendors are heading to the data center.
Anti-virus programs are notorious for acting suspiciously like the malicious software they're meant to eradicate, hijacking your PC and choking its resources by scanning files endlessly.
Now, security software vendors are hoping to solve that parasitic problem with the same information technology transformation meant to make all software cheaper, more efficient and less resource-intensive: the move to the "cloud."
In the past months, cybersecurity vendors including F-Secure, McAfee (nyse: MFE -news - people ), Symantec (nasdaq:SYMC - news - people ) and Trend Micro have all released new versions of their software designed to move more of the work of identifying viruses, Trojans and other forms of "malware" off of desktop PCs and onto faraway servers connected by the Internet. Beyond lightening the load on their customers' machines by performing more analysis as a networked service, they also claim that cloud-based approach may be a more effective strategy for keeping up with the ever-faster flood of new malicious code.
By all appearances, more desktop machines are becoming infected with malicious software than ever before. Over the past year, the number of PCs ensnared in botnets--herds of users' computers infected with malicious software that sends spam or performs click fraud--has more than quadrupled, according to cybersecurity researchers at the Shadowserver Foundation.
One element of the problem, says Trend Micro's vice president, Carol Carpenter, is the acceleration of malware's mutation into new, as-yet-undetected strains. "Three or four years ago, we saw 50 new threats a day. Now we see 50,000 threats a day," she says. "The order of magnitude has changed dramatically."
That means protecting users from newly discovered malware is no longer a matter of days or hours but seconds. Updating a customer's anti-virus software three times a day, as the 2008 version of Symantec's Norton software advertises, or even 10 times a day, as F-Secure boasts, is no longer enough.
The cloud-based solution announced by Trend Micro in June and implemented earlier this month by McAfee and F-Secure is designed to cut that vulnerable period to seconds. Rather than wait for a database of newly identified malware signatures to be downloaded to a PC, the upgraded software takes a "hash"--an identifying number that doesn't reveal the file's contents--of every new application running on a machine and compares that identifier to the software vendors' continuously updated database of threats on in-house servers. If the application doesn't match anything in the vendor's database of safe files, the software issues a warning to the user and performs a closer scan of the file for suspicious characteristics.
That communication between the PC and the database over the Internet, say researchers at F-Secure and McAfee, takes as little as 100 milliseconds. And by pulling the process off the desktop and into the cloud, it uses just a fraction of the computing resources of a traditional anti-virus scan.
Software developers have different approaches to the cloud-based anti-malware system. F-Secure, for instance, scans every application, while McAfee uses an initial filter based on size and how hidden a file's source code is to determine whether it needs scanning in the cloud. Jon Oltsik, an analyst with Enterprise Strategy Group, points out that Trend Micro was the first to announce the technology, but balks at picking which company's approach is most effective. "From a technology perspective, they're all pretty close," he says. "This is not a game of leapfrog. It's a change in the way we have to do things to keep up with the monumental growth in the number and sophistication of attacks."
Security offerings in the cloud aren't strictly new. The security firm Postini, for instance, offered to scrub e-mail for spam and viruses as early as 1999, filtering e-mail before it reached a user's computer without any software on his or her desktop. In July of 2007, the firm was purchased by Google (nasdaq: GOOG - news - people ) to be integrated into the search giant's software-as-a-service applications.
In fact, none of the major software vendors implementing malware-detection in the cloud are offering "cloud computing" in that pure form: Each application still involves installing software on the desktop to more easily scan a client's machine and also to detect threats that come from sources other than the Internet, such as a USB drive.
Still, that incomplete move to the cloud holds the potential to act as a kind of collective intelligence, says Oltsik. A software vendor like Symantec, for instance, asks its users to opt in to what it calls the Norton Insight system, which currently assembles data from 17 million customers and uses it to better understand when a new strain of malicious code has appeared. Security researchers liken that approach to a "neighborhood watch" strategy.
Even so, cybersecurity isn't likely to overtake the extraordinary evolution of malware, says Rich Mogull, a security consultant and blogger. Even with malware detection performed over the Internet and piped out at faster speeds than ever before to client computers, no company offers anything beyond "signature-based" filtering, or filtering by characteristics in the program's code, says Mogull. In other words, new malicious files can only be detected after they've been found elsewhere in a company's anti-malware network.
Because malware will appear in forms that even a company's Internet-hosted database doesn't recognize, outbreaks will still occur even among "protected" computers, he says. Given that some cybercriminals are now writing custom malware targeted at single organizations, that's not enough, he says. "No matter how fast we react in this cloud-based scenario, it's still reactive," he says.
But the next generations of anti-malware software may go beyond signature-based detection. Researchers have been working for years on "behavior-based" malware detection, watching what applications do rather than looking at their characteristics to determine their intent.
Symantec's vice president of research and technology, Carey Nachenberg, says its software, possibly in the next year, will try a "reputation-based" approach. He declines to share details of the new strategy but says that one simple element of reputation is simply how many times an application has been seen before--newer, unique applications will be automatically less trusted than common, tested ones. He says the system is closer to Google's Web page ranking algorithm than traditional anti-virus programs.
"Right now, our fingerprinting is faster than ever before," Nachenberg says. "But in the future, the fingerprints disappear completely."
2008 Forbes.com LLC™ All Rights Reserved