Panda also have a full cloud version
How the files are scanned? What is in the cloud and what is locally?
- populate the database?
- from-the-cloud scanning
(what is being scanned?)
- both send statistics and files to be analyzed remotely
(so, upload of files)
- sources of information: all Panda products contribute, as well as malware samples exchanges from within the industry, other channels such as CERTs, online scanners such as VirusTotal, customer submissions, honeypots and honeymonkeys we've deployed in a few continents, and a large etc.
: ok, all the "non"-cloud antivirus do that, avast has a 180 million users database...
- Actually the agent does have a signature + heuristic engine which is optimized to work in off-line mode
... Hmmm... isn't it the same of other antivirus then? What is in the cloud?
At least, they say it's not compatible with other antivirus (the incompatibilities come from the hooks and interceptions they need to perform all over the system (...) it's still an AV and therefore cannot be run alongside other vendors' AVs
The key of the myth:
Given that Panda Cloud Antivirus offers the best security when connected to the Internet, what would be the percentage drop in protection when working only with the local cache?
One of the philosophies of the new protection model we've designed is that AVs don't need to detect every piece of malware that has ever existed or will exist, which is the traditional signature model. Basically what we're saying is that, if we have "x" millions of users in the Collective Intelligence community, what Panda Cloud Antivirus really needs to protect against is whatever malware is circulating amongst those users, and protect them even while off-line. For the rest of malware, you can detect it while connected to the Collective Intelligence servers.
Well... less protection then... so, less resources, so the myth...
This is where the whole "community" aspect of Panda Cloud Antivirus steps in. Whatever Collective Intelligence "sees" out there as circulating in the wild, it creates a small cache version of signatures which detects and disinfects that subset of malware and synchronizes it in every agent for off-line operation. Even while off-line, Panda Cloud Antivirus will protect against all malware that is circulating, against all malware that is "important for you".
So, what is being clouded? Some parts of the signatures for ITW malware... It's a feature not a av in the cloud...
Another way of putting it is that this AV has been designed for real people, real users, not for testers and evaluators which judge how good or how bad an AV is based on lab isolated tests of millions of samples which have not seen the light of day in months or even years. Unfortunately the multi-billion AV industry is very influenced (and therefore limited) by what magazine and independent comparatives publish, even though most testing methodologies in existance today still do not try to reflect the real life situations of end users. We're very hopeful that the work of AMTSO is going to help a lot in improving testing methodologies and bring them closer to reflect real life scenarios.
Blaming against tests due to the samples used...
However, it's not quite the same as the traditional signature updates which are always incremental (always adding signatures, not taking them out).
Any vendor revise the signatures, make them generic, improve... Another bla-bla-bla...
The local cache also includes other types of generic signatures, generic disinfection routines and non-PE signatures. These are used mostly for off-line operation and for certain type of malware. The local cache contains less than 10% of the full knowledge of Collective Intelligence. We believe that as malware becomes more and more dynamic and the number of total malware continues growing exponentially, this % will be reduced over time.
Fully agree, some features and signatures must be in the cloud. Just that the user must know what is going on...
"Kernel Rules Engine" which is able to generically detect 100% of these types of exploits without any signatures.
Local scanning and features again...
Behind the initial analysis phase there's a bunch of technologies that are used to extract all type of information from each file, both from static analysis (such as packer information, API calls, functions, multi-scanners, etc.) and dynamic analysis (running in real machines, recording malware actions, dumping memory, etc.). All this information is then processed in the categorization phase, where it is correlated against the entire database of Collective Intelligence files using different techniques, such as graph theory algorithms, grouping algorithms, metaheuristics, rule driven classification and identification, and many more techniques which are too resource intensive that can only be run in a server-farm environment such as Collective Intelligence and not on end user PCs.
Sure... All other serious antivirus do that.
They claim to be "the first truly cloud-based antivirus solution".
Final note: I'm not
against any cloud feature and progress on antivirus market