Happy new year everybody !

I’m taking some days off with the family. This is the view our from cabin

I’ll be back in a few days…. maybe

With any advance in science and technology there will always be critics and people oppossed to change. This has happened over and over again in the course of history. Antivirus is no different. We saw resistance when we released behavioral analysis in 2004 (which is mainstream technology nowadays) and we have seen it recently with the release of Panda Cloud Antivirus.

In this post I have compiled a list of all arguments against cloud-based antivirus that I was able to find. Let us review these arguments against cloud-based antivirus and see why they are based on either misconceptions or simple lack of understanding and knowledge of how this technology works.

A malware could cripple the Internet connection and render the cloud antivirus useless
Exactly the same thing could happen to the traditional signature based antivirus. If a malware gets through the traditional signature defenses and manages to disable your Internet connection, you will not be able to get signature updates from your AV vendor and therefore will not be protected against the new malware variants, rendering your traditional AV just as useless.

A cloud-based antivirus needs to check everything against the cloud. Takes more time
Actually not everything is checked against the cloud. At least with Panda’s implementation of cloud-scanning there are locally installed technologies (heuristics, cache of cloud-detection, goodware cache, etc.) that are able to detect a good deal of malware threats and known good files. All these files are not checked against the cloud. Think about it, once you install the cloud-based antivirus, how many new programs do you install on your computer every day? Not that many, right? Once installed, only new programs copied or trying to run on your computer are checked against the cloud (if they are not detected first by the local technologies). From our beta testing phase we have seen that on average Panda Cloud Antivirus only consumes a few KB of bandwidth per day, less than the typical traditional signature updates.

It is an invasion of privacy. I do not want my files & documents to leave my computer
This is one of the most common misconceptions, maybe due to some weak implementations of cloud-scanning by some vendors. At least in Panda’s implementation of cloud-scanning when a file is “scanned by the cloud” it doesn’t actually leave your computer, it is not uploaded to our Collective Intelligence servers. What really happens is that Panda Cloud Antivirus creates a really small reverse signature of the file and the signature is what gets checked against the cloud. Also cloud-scanning is only implemented to Portable Executable (PE) files, so your Word/Excel documents, etc. are not checked against the cloud. There is one scenario with PE files where, if it is flagged as suspicious and Collective Intelligence doesn’t already have a copy of the file, then the file is uploaded for further analysis. But even then people can opt-out of participating in the community by simply un-checking this option in the product.

Cloud-based antivirus do not protect while offline
While this might be true of some cloud-based antivirus implementations, in the case of Panda Cloud Antivirus it is not true. Panda Cloud Antivirus has a local cached copy of the Collective Intelligence cloud servers. This local cache is tasked with detecting (even while not connected to the Internet) malware that is in the wild, non-PE malware and other threats. Unlike traditional signature updates, this local cache update is a “moving target” of what the community sees as circulating out there in the wild. Therefore it is able to efficiently protect against the important threats. This local cache does not protect against Win98 or DOS viruses or even malware that is dead or not circulating anymore. That is why the community aspect of Panda Cloud Antivirus is so important as, the more people use it, the better protection it offers.
UPDATE: Panda Cloud Antivirus 1.1 includes 4 additional new layers of offline protection: 2 behavioural engines (blocking & runtime analysis), autorun disabling and USB vaccination.

So that means that it provides lower protection while offline
First let’s take a look at the practical aspect: after running the beta and release of Panda Cloud Antivirus for over 7 months with millions of users, we have not had a single recorded incident of an infected user while not connected to the Internet. There’s a common misconception that protection = detection rates of millions of samples as tested by magazines. This is not really true as those tests include malware that is dead, not circulating anymore or even does not work on your operating system (like old DOS/Win98 viruses). If we define protection as stopping real-life malware that is circulating then the offline protection that is offered by Panda Cloud Antivirus is more than enough.

So if I have some old malware and disconnect from the Internet, can I infect myself?
Yes of course. You can also take a stroll down the worse neighborhood of your city sprouting a gold watch and necklaces and there’s a pretty good chance you will be (at least) mugged. Or you can just drive off a 200 meter cliff hoping your seatbelt and airbag will be enough to save your life. Panda Cloud Antivirus was designed for real people and real-life use. With that in mind you won’t have to worry about these highly unlikely scenarios during your normal computing experience.

I’m worried about latency and response time
This a very valid worry with regards to an AV whose real-time monitor (on-access scanner) works in a synchronous mode against the cloud. Currently we have two “timeouts” in the product, a first one to notify the user of problems with latency and a second one for blocking the execution altogether if no answer is received. However from our measurements these last months in over 98% of the cases the response time of the on-access scanner is below a second. Keep in mind that only a few bytes are sent back and forth when a file is queried, so the real impact is really low.

Cloud-scanning is just the latest marketing buzzword
It seems it is becoming much more a buzzword. But it doesn’t mean there is not benefit behind it. Many different products (not only security-related) are migrating their “intelligence” to the cloud and leaving behind those old, overloaded, slow applications in exchange of faster, always up-to-date clients. There is a clear benefit not only from the perspective of developers who are much less constrained by the limitations of a single PC, but also from the point of view of the user who gets an improved computing experience without all the negative aspects of resource consumption of his/her PC.

Cloud-scanning is just a way for AV vendors to lower their cost of downloading signatures
Yeah right, you should talk to our CFO about this (he stands out as the only one with grey hairs because of how expensive this whole thing has been ). Seriously, it would have been waaaaay cheaper to stick to the existing traditional signature download infrastructure approach than to set-up an additional multi-million infrastructure just for cloud-scanning. Not only is there the initial investment but also the continuous maintenance. And of course this does not take into consideration the additional investment in development and QA that’s also needed to develop and maintain this technology in the products.

Cloud-scanning is only good as a second opinion
This might have been true of the first cloud implementations a couple of years ago (online scanner, the first cloud-only products, etc.) but it is not true anymore. At least with Panda’s implementation, Panda Cloud Antivirus is a full replacement of a traditional AV. Panda Cloud Antivirus has the best of both worlds; it includes local protection for offline and the most effective protection while online. While some vendors are adding some cloud-scanning abilities to their existing products’ (as an additional technology in the mix of different technologies), Panda Cloud Antivirus has been developed from scratch to work in real-time in synchronous mode against the cloud. It has been proven as an effective replacement of traditional signature approach.

If you can think of any other argument against this type of technology feel free to let us know!

As you will notice we’ve migrated the Panda Research blog to a new platform, which I’m hoping will take less time to manage, specially moderating comments and filtering spam, which took a lot of time with the cumbersome Microsoft blogging platform.

If you’ve posted a comment which hasn’t made the migration, please post it again. I’ll try my best to moderate it as soon as possible.

I'm happy to announce that all our consumer and most corporate products with full Windows 7 compatibility have been released. You can download them from:

http://www.pandasecurity.com/windows7

Just as we did last year and other years before that, last week we had our Panda Security Days in Sweden. This year we started in Malmö, followed by Gothenburg and ending up in Stockholm. There were very good speakers from Panda presenting different topics; Cecilia Carlsdotter talked about Panda's corporate social responsabilities innitiatives. Sebastian Zabala talked about our different products and technologies. Daniel Nyström, Head of Tech Support in Sweden, talked about various support issues and presented his excellent team. Luis Corrons talked about the latest cyber-crime techniques, focusing on banking trojans and rogue antivirus. Petter Lautin talked about the different corporate objectives for Panda in Sweden and lastly I talked about internal statistics of Collective Intelligence and other stuff we're working on.

As I know you'll be curious about this, here's some of the Collective Intelligence stats we presented during the talks:
25 TB          Size of Collective Intelligence Database
48 million     Files hosted by Collective Intelligence
80 million     Files analyzed by Collective Intelligence
61.000         New files received daily at Collective Intelligence
99.4%         Files processed automatically every day
150 GB       Size of logs generated every day by Collective Intelligence
165 million   Files queried against Collective Intelligence every day
127 KB        Bandwith usage of each Panda Cloud Antivirus agent every day

In addition to the interesting stats I'll also leave you with some pictures of this fun week in Sweden.

We recently released version 1.0.1.4 of Panda USB Vaccine. This version includes a few bug fixes plus multi-lingual support. The MD5 of the executable is 58cc5b530fc552c8e31870f90db425ed.

As always you can get it directly from download.com:

From web.splesh.net.

Cool dragonball-like video from our partner in Taiwan

 http://www.youtube.com/watch?v=D_kfddS_Tyc

I specially like the part about TruPrevent.

As you may remember at the beginning of the year we released a Panda AV 2009 compatible with Windows 7. We are now releasing Windows 7 compatibility of our Panda 2010 products in a beta program. Be sure to check out http://www.pandasecurity.com/windows7 or simply download Panda Global Protection 2010 for Windows 7 directly from here.

Interesting news from Redmond:
http://www.theregister.co.uk/2009/09/14/more_microsoft_autorun_fixes/

On Friday, Microsoft announced the availability of updates to the XP, Server 2003, Vista and Server 2008 versions of Windows that removes the AutoRun popup window when some types of removable media is connected. The change doesn't affect optical media such as CDs and DVDs, a shortcoming we'll get to in a moment.
As we pointed out then, the move is a step in the right direction, but it doesn't go far enough. That's because certain types of removable drives – those made by U3, for instance – run firmware that advertises the device to Windows as a CD. Such drives will continue to automatically execute the AutoRun routine as soon as they're plugged in.
The new updates are available here. But as we've said before, given the large number of devices that are unaffected by this change, we'll continue to disable AutoRun altogether.

While we applaud the move as it shows a little more conscious security decisions in product design, it's still too little, too late. 

If you want to be truly protected against AutoRun malware and make sure your USB drive is not used as an infection vector, download and use the free Panda USB Vaccine.