Our enterprise is considering cloud-based antivirus. Do you think this could offer greater protection than regular antivirus, as it could be updated more constantly, or would the risks involved with moving the functionality to the cloud (i.e., possible loss of antivirus if the provider went down) outweigh the potential perks?
Yes, cloud-based antivirus can offer greater protection than traditional signature-based antivirus. And there are more benefits than simply speed of updates for some cloud antimalware software. One of the newest and most promising functionalities that has been introduced is collective or community intelligence: When one or more systems identifies a malicious executable, it's able to give feedback to the cloud antimalware provider, thus providing a wider surface area for rapidly detecting new malware. Traditional antimalware vendors have started to include this and other functionalities, such as behavioral detections, in their software on top of their signature detection to try to increase the speed of their updates.
There are, however, potential risks to using cloud-based antimalware, like downtime of the cloud provider, downtime on the local network, or general network problems. Downtime at the cloud provider is an issue of significantly greater concern than with traditional antimalware software that can operate without any additional infrastructure. Some cloud antimalware providers do offer options for offline protections, which can be used if there is downtime. The offline option would be important if the local network or ISP has a problem, causing the organization not to be able to reach the provider, or for users not regularly connected to the Internet. Other network issues like high latency or high packet loss may result in the cloud-based antimalware performing poorly, but this would affect all applications that need access outside the network, and offline protections could be used. These offline protections could include standard local antivirus and host-based security controls.
One other unique issue that could be exacerbated by using cloud-based antimalware software concerns false positives. Currently, an enterprise can test an updated virus definition prior to pushing it to its client systems, but performing this testing on malware definitions from a cloud antimalware product might not be possible. This is probably not an issue, except for the most cautious organizations, but it is something to be aware of when performing an enterprise antivirus comparison or considering a cloud-based antimalware system.
This was first published in August 2011