What Is Cloud Anti-Virus and How Does It Work?

Anti-virus companies are increasingly highlighting cloud-based capabilities of their products, extolling benefits such as "the speed of cloud computing to deliver real-time protection." What does that mean? What is cloud anti-virus anyway? Let's examine the key characteristics of cloud anti-virus products, surveying the technology while attempting to cut through the hype.

Defining Cloud Anti-Virus

I haven't been able to locate an authoritative definition of cloud anti-virus, so I humbly propose my own:

Cloud anti-virus is anti-malware technology that uses lightweight agent software on the protected endpoint, while offloading the majority of data analysis to the provider's infrastructure.

I believe this definition is consistent with the description, capabilities and architecture of most cloud anti-virus products.

Improving System Load with a Lightweight Agent

Cloud anti-virus employs agent software on the protected endpoint that is much lighter than the installed components of traditional anti-virus tools. This implies that cloud anti-virus imposes less strain on the system's resources.

Instead of having to assess whether a file is malicious by performing analysis locally, the agent captures the relevant details from the endpoint and provides them to the cloud engine for processing.

To further improve performance, the agent can be more intelligent about how it intercepts file access prior to scanning. Panda Cloud Antivirus attributed performance improvement in their product to such redesign:

"Traditionally AV engines have intercepted files and objects in multiple layers (entry vector, file system and execution). In each layer, each object is scanned by multiple technologies, such as antivirus signatures, rules, heuristics, behavioral analysis, etc. This redundancy of scans results in a degradation of user experience…"

Programs that are about to be launched need to be analyzed before execution occurs. Files that have been downloaded, but not yet opened can be asynchronously scanned later when the system is idle.

The idea of sending a file for analysis even before it is being used was described earlier in the CloudAV: N-Version Antivirus in the Network Cloud paper by Jon Oberheide, Evan Cooke, and Farnam Jahanian. As the paper pointed out, this approach “amortizes the transmission and analysis cost over the time elapsed between file creation and system or user-initiated access.”

The relative simplicity of the agent installed on the endpoint decreases the attack surface of the local software, making it less likely that the anti-virus agent itself can be compromised due to a vulnerability.

Endpoint to Cloud Connectivity

If the endpoint is not connected to the Internet, its ability to protect the user is limited because it cannot query the anti-virus cloud. Cloud anti-virus can address this by storing a local cache of the most relevant queries on the end-point. The cache can also contain results of earlier queries, so that the files that have already been checked don't need to be checked again.

The cache doesn't provide the same detection capabilities for new files as the cloud service; however, the risk is balanced by the user being typically less vulnerable when disconnected from the Internet.

Network bandwidth limitations prevent most cloud anti-virus products from sending complete contents of files that need to be scanned. Instead, cloud anti-virus typically submits information about the file when seeking the cloud's opinion about the file. As described by Yury Mashevsky in The Antivirus Weather Forecast: Cloudy, the meta data includes:

"the file's unique identifier (the hash function), data about how the file came to be in the system, how it behaved, etc. New threats are identified in the cloud using metadata even though the files themselves are not actually transmitted to the cloud for initial analysis."

Note that the file's identifier may be its traditional hash, such as MD5. However, since polymorphic malware may change its code, relying on a traditional hash alone isn't sufficient. The agent may need to capture fuzzy hashes as well as other descriptive information about the file to identify it.

Data Analysis in the Cloud

The processing of the data collected by agents on protected end-points is analyzed by the servers of the anti-virus service provider. If malicious activities are observed on some endpoints in association with files not previously considered malicious, cloud anti-virus updates its perspective on those files for the subsequent queries.

Yury Mashevsky described server-side processing of cloud anti-virus as an expert system that is automatically trained based on the input received from endpoint agents. One of the benefits of offloading analysis to the cloud is that the decision engine's logic isn't directly accessible to authors of malware, making it harder for attackers to assess the tool's effectiveness.

Jon Oberheide et al. discussed the possibility of deploying multiple scanning engines in the provider's cloud. Some traditional anti-virus products deploy multiple engines directly on the endpoint. Moving the engines into the cloud would relieve the endpoint from having to deal with processing the load locally. However, to accomplish such scanning in the cloud, the endpoint would need to upload full file contents, rather merely transmitting the associated meta data.

Behavior Monitoring and Blocking

Cloud anti-virus is usually combined with other malware detection techniques, which are found in traditional anti-virus products. These approaches may include identifying malware based on suspicious heuristic or behavioral characteristics. Behavioral analysis may pick up on potentially-malicious actions on the endpoint such as:

  • Modifying the "hosts" file
  • Creating the "autorun.inf" file on a removable drive or a network share
  • Sending a lot of email in a short period of time
  • Generating new executable programs
  • Modifying "auto-run" registry keys

When a certain threshold of suspicious actions is observed on the endpoint, the agent can block the relevant program and report the incident to the cloud. This way, other users of the product will benefit from the experience of other users.

Cloud anti-virus is a promising approach to protecting endpoints from malware. It is implemented by standalone tools and is incorporated into many traditional anti-virus products in attempts to keep up with malware threats.

For more on the topic, see How Antivirus Vendors Describe Their Cloud Capabilities.

Updated February 14, 2015
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more