Paul Ducklin, head of technology for the Asia-Pacific region at Sophos, told ZDNet Asia in a phone interview that the cloud "is something that will improve existing mechanisms for protection" as it can block access to harmful Web sites or retrieve updates in real time.
But, relying on a service in the cloud is not something that enterprises and individuals can afford to do. "The cloud isn't always there, no matter how incredibly connected you are," he pointed out, adding that there will be times when PCs are not connected due to flights, train rides or simply because there isn't a need to log on to the Internet.
"During those times you [still] want protection to continue--you want that protection to continue when someone plugs their USB drive or mobile phone into your computer so you can look at photographs and maybe pick up something along the way," said Sydney-based Ducklin. For instance, the Conficker worm used the USB drive as its primary attack vector, he noted.
In addition, users need to be protected when downloading content from the Internet that might be encrypted, where an external party is "not able to scan inside it by design".
In-the-cloud protection also may not be able to stop malware from arriving to your computer, as with a case highlighted in a blog post last month. Ultimately, said Ducklin, a defense-in-depth approach is ideal but if protection is only planted in one place, it should be at the endpoint--be it a desktop, notebook or server.
"That doesn't mean you [ought not to] also have it at many other places on the network, but if you've only got one choice of a place to put it, that's the place you have to have it--all others are optional extras," he explained. "And whilst you have endpoint protection, [the security] software should at least take advantage of a cloud-like service in order to download and install any updates as fast as it can."
However, such a strategy needs to be moderated, added Ducklin. Having a sensible change control and risk management system demand that the latest security updates such as fixes and patches, are first validated on a small set--about 5 percent--of the computer population within the network, he explained, and then rolling out to the rest batch by batch.
With a "controlled cloud", updates can be received promptly via the Internet and with proper monitoring, pushed out in a non-instantaneous fashion, said Ducklin.
A spokesperson from Trend Micro's TrendLabs, told ZDNet Asia in an e-mail that the scenario described in the Sophos blog post is "just another layer of obfuscation malware authors use to avert security programs" which can be thwarted with multi-layered security.
However, going forward, in-the-cloud antivirus providers such as Trend Micro, will require added capability to manage encryption, decryption or "fuzzing" algorithms, the spokesperson added. There also needs to be "tighter integration" with other security components such as firewalls and behavior-monitoring engines.
This article was originally posted on ZDNet Asia.