Malware is a cloud-scale problem

Malware is a cloud-scale problem

Summary: The old downloadable signature file method of anti-malware protection is flawed in today's era of cloud-scale malware threats, say a new generation of vendors. I caught up recently with Gerhard Eschelbeck, CTO of Webroot, to learn more.

TOPICS: Cloud, Hardware, Malware

Having been one of the many victims of's 'false-positive' problem back in April, I've been wondering whether there's a better way of protecting against malware, as some of the commentary at the time seemed to imply. My quest at the time led to an interview during London's InfoSec show with Gerhard Eschelbeck, CTO of anti-malware vendor Webroot, and previously one of the founding members of Qualys.

Webroot provides web and email security as a cloud service, delivered from the company's own network of data centers, supplemented by Amazon capacity at times of peak load. Its use of the cloud goes further than that of, Symantec Norton and others, for whom the cloud is solely a distribution mechanism to keep subscribers' software up-to-date. In common with other SaaS anti-malware providers, Webroot uses what Eschelbeck calls a "multi-tier" model, in which the protection is provided primarily by software running in the cloud, in addition to having a component that runs on the client machine.

"There's always a need for a last layer of protection on the desktop," he explained. But there are two reasons why it's no longer practical to run the whole protection layer from the desktop, as older anti-malware architectures do.

First of all, there's the sheer scale of the threat. Malware are being computer generated around the clock all over the world, he explained, which leads to huge numbers of new examples appearing — currently 40,000 a day, and rising to a projected 100,000 per day next year. In the face of that onslaught, "There's no way the signature file approach can scale," he said. "We're reaching physical limits on the desktop — and on servers as well — to protect [those devices]."

The escalation in numbers means that occasional false positives will continue to be a fact of life in the anti-malware industry, whatever methods are used. But a methodology that requires product teams to push a single downloadable signature file every few days inevitably increases the risk, he said. "The more signatures you add, the more chance you have of an error." Once a problem file has gone out to the desktop, you then have to produce and download a new signature file to eliminate the error, whereas a cloud-based application can be corrected much more quickly. "If a false positive takes place in the cloud, it can be fixed instantly. The cloud will have false positives, but the ability to fix it is different."

The second reason for running the protection software mainly in the cloud is simply because that's where the threat is coming from today. Signature files date back to an era when most devices were standalone or running on local area networks with no connections to the outside world apart from the occasional dial-up modem. "Ten, fifteen years ago, the main infection vectors were through the floppy disk, the USB stick. Today the main vector is through the Web."

So the multi-tier defence model takes the battle as close as possible to the source of the threat, and allows the anti-malware vendors to fight a cloud-scale enemy with a cloud-scale arsenal. "You have a global view — compared to a myopic view on the desktop," said Eschelbeck. It's possible to analyze macro data such as traffic flows, and to counter threats without having to worry about the CPU constraints of individual machines.

The next frontier is to co-ordinate what's happening on the desktop with what's happening in the cloud and have information passing in real-time between desktops and cloud resources — moving from a multi-tier approach to more of a real-time fabric. That's next-generation, said Eschelbeck, but on the way.

The other question that surfaces is, why allow the threats to reach the desktop at all? If today's threats originate in the cloud, then why not clean the data stream before it gets anywhere near the end device? This after all is the principle followed by cloud-based email threat protection services such as MessageLabs and Postini. Eschelbeck agreed it was something that broadband providers perhaps ought to look at. "They maybe need to think about offering a clean pipe in the future."

Topics: Cloud, Hardware, Malware

Phil Wainewright

About Phil Wainewright

Since 1998, Phil Wainewright has been a thought leader in cloud computing as a blogger, analyst and consultant.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • sounds like you are selling scare ware

    just migrate to Linux and everything will be fine
    Linux Geek
    • And you are selling FUD

      @Linux Geek \

      Go over to Ed's blog, and let him explain to you why it won't.
      The one and only, Cylon Centurion
      • RE: Malware is a cloud-scale problem

        Not completely true. It is not a fault of any OS that USERS dowload and run inappropriate files on the system. The issue was amplified by morons who didn't even know their own files were replaced!

        Has nothing to do with what OS was used, just stupidity.
        linux for me
      • Ignorance

        An old, barely supported IRC server is not Linux.
        Do you see anybody blaming Microsoft Windows for Adobe's never ending insecure products??
      • RE: Malware is a cloud-scale problem

        @Linux For Me

        [i]"Not completely true. It is not a fault of any OS that USERS dowload and run inappropriate files on the system. The issue was amplified by morons who didn't even know their own files were replaced!

        Has nothing to do with what OS was used, just stupidity."[/i]

        Which is exactly the point I have been trying to make for a while now. Fighting malware begins with the user through education. Not switching platforms.
        The one and only, Cylon Centurion
      • Not railing at you.......

        I whole heartedly agree.
        linux for me
  • Cloud = INSECURE

    When your data is controlled by an unknown person in an unknown location, malware distribution becomes an easy task.

    Since clients believe that their files were scanned, infecting a corporate network becomes easy. Or do you really believe that corporate security scans every single bit of data all the time??

    If McAfee on its own can turn a dual core PC into a brick when is running, just imagine what will happen if it was set to the maximum setting (constant monitoring of I/O). That is what would be required because files can be infected at any time when in the cloud.
  • simplify!

    The only solution to the malware problem is to stop allowing software to self modify. The os and apps need to reside in ROM or the hardware equivalent such that NO malware can change it. This will of course require a redesign of the PC, but there's just no choice...obviously our current strategy (hoping your software guys are better than the badguys) is a failed strategy (unless of course you sell AV software). Here's a mockup of what such a system could look like...

    Want to install Quicken? Insert the card. Want to uninstall it? Remove the card. This will finally make the PC an "appliance" rather than a hobby for computer geeks.

    Unix = safety in numbers (small numbers). A better fundamental design? No doubt. Fullproof? An "appliance"? No where near.

  • Pretty stupid

    No anti-malware program worth its salt relies totally on downloaded signatures anymore, nobody tries to claim that model is adequate anymore.
  • Cloud Based Malware Solution

    This is a very interesting article! We actually use a Cloud to provide a private, secure, and encrypted way to browse the internet. Check it out!
  • RE: Malware is a cloud-scale problem

  • hello

    I really admire your ideas and way to put them together to make a wonderful blog Thanks for it. [url=]iPad 3[/url]
  • Buy mini trampoline

    Really i am impressed from this post.the person who created this post is a genius and knows how to keep the readers
    connected.thanks for sharing this with us.i found it informative and interesting. Looking forward for more updates.
    Check out these site to know about or buy a <a href="">mini trampoline</a>.
  • Breville Juice Fountain

    Great article, I really appreciate your thought process and having it explained properly, thank you for sharing such a nice article.i hope visitor will like this post.
    Check out these site to know about or buy a [url=]Breville Juice Fountain[/url].
  • Toronto Escorts

    <a href="">Toronto Escorts</a>
    Are you looking for some of the sexiest escorts in the
    Toronto area? If you want to make an impression at that party you have
    coming up, you will definitely want to hop online so you can look at all
    the attractive escorts available for your enjoyment.
  • Awsome

    Plessers is your best Source for Home and kitchen appliances.Find best
    [url=]viking kitchen appliances[/url] and bosch appliances ,Find your perfect kitchen appliances today at Plessers.