'Cloud delivered protection', Really?

jimbo45 · 04 Aug 2018

Hi folks
Sometimes it's "Sales and Marketing" just inventing Buzzwords to create a demand for a service which probably exists anyway in your current A/V program.

Any sensible A/V program would have real time protection from all sources -- there's basically no difference between a server on the Internet (say a web site wherever its hosted) or the cloud which again in "Plain English ??" is just a bunch of remote servers lumped together so the user(s) just see it as "a server" so Real time protection should protect you against anything you could pick up from these places.

I can't see any need for a special designation called "Cloud Protection" -- that's not to say don't enable it --just can't see why an A/V real time protection needs a special switch for this.

Just Marketing I suppose or back in my Engineering days I think it was called "Blinding people with Science".

Cheers
jimbo

Superfly · 04 Aug 2018

Cloud is telemetry. It helps with zero-day infections... so Real-time gains from that. It's not "Blinding people with Science".

jimbo45 · 04 Aug 2018

Superfly said:

Cloud is telemetry. It helps with zero-day infections... so Real-time gains from that. It's not "Blinding people with Science".

Hi there

that's what I mean

What on earth is "telemetry with Zero-day infections" and how in the world does that differ from protecting your computer with standard "Real Time Protection".

The only possible difference might be that cloud servers have virus / spyware etc definitions updated more frequently than Ms does i.e continuously but I'd imagine Ms is probably working to roll out "instant updates" on its A/V software anyway.

Cheers
jimbo

Superfly · 04 Aug 2018

jimbo45 said:

Hi there

that's what I mean

What on earth is "telemetry with Zero-day infections" and how in the world does that differ from protecting your computer with standard "Real Time Protection".

The only possible difference might be that cloud servers have virus / spyware etc definitions updated more frequently than Ms does i.e continuously but I'd imagine Ms is probably working to roll out "instant updates" on its A/V software anyway.

Cheers
jimbo

Real-time merely means constant monitoring (from set definitions)... "telemetry with Zero-day infections" means blocking as soon as.

Bree · 04 Aug 2018

jimbo45 said:

The only possible difference might be that cloud servers have virus / spyware etc definitions updated more frequently than Ms does i.e continuously but I'd imagine Ms is probably working to roll out "instant updates" on its A/V software anyway.

No - that's not it. There is a lot of high powered AI processing analysing any suspicious samples uploaded. This identifies new previously unknown threats and can tell Defender to block something for which there is no definition yet.

The whole process is described in detail here for a real world example of cloud protection in action....

Microsoft said:

At 12:46 a.m. local time on February 3, a Windows 7 Pro customer in North Carolina became the first would-be victim of a new malware attack campaign for Trojan:Win32/Emotet. In the next 30 minutes, the campaign tried to attack over a thousand potential victims, all of whom were instantly and automatically protected by Windows Defender AV....

Automatic sample submission, a Windows Defender AV feature, sent a copy of the malware file to our backend systems less than a minute after the very first encounter. Deep learning ML models immediately analyzed the file based on the full file content and behavior observed during detonation. Not surprisingly, deep neural network models identified the file as a variant of Trojan:Win32/Emotet, a family of banking Trojans.

While the ML classifiers ensured that the malware was blocked at first sight, deep learning models helped associate the threat with the correct malware family. Customers who were protected from the attack can use this information to understand the impact the malware might have had if it were not stopped.

How AI and Windows Defender AV stopped an Emotet outbreak

TairikuOkami · 04 Aug 2018

eLPuSHeR said:

I think it's a BAD IDEA to turn those security options OFF.

Some people value privacy over detection not to mention bandwidth limits. A cloud protection will give at most 48 hours warning ahead, but most likely only several hours, before signatures are pushed.

Use of information: Sample submission reports are used to improve Microsoft software and services. The reports might also be used for statistical or other testing or analytical purposes, and for generating definitions. Only Microsoft employees, contractors, partners, and vendors who have a business need to use the reports are provided access to them. Sample submission reports do not intentionally collect personal information. To the extent that sample submission reports collect any personal information, Microsoft does not use the information to identify you or contact you.

PrivacyFreak · 04 Aug 2018

From a privacy point-of-view, any AV software with automatic sample submission can be nightmarish. They're free to scoop up any "suspicious" file off your system even if it could just be a false positive. Even without cloud-based protection, they send a lot of information back to their servers.

Here's a link to download a 2014 study report by AV-Comparatives - an Austria-based independent antivirus testing and comparison organization. Only AhnLab, Emsisoft, and Vipre seem to respect user privacy.
http://www.av-comparatives.org/wp-co...ng_2014_en.pdf

An article based on the above study
Is Your Antivirus Tracking You? Youd Be Surprised At What It Sends

Not promoting Emsisoft but here's their take on the report
Antivirus software: protecting your files at the price of your privacy | Emsisoft | Security Blog

In the end, it's down to every individual's personal choice of AV software.

ThrashZone · 04 Aug 2018

Rickerz said:

How could a cloud-based protection be more proactive?

Hi,
Yeah Panda free and paid has the same cloud crapola stuff
Beside the delay for internet responses for issues no telling how fast or slow it might work
MS has already boasted how all the telemetry has made it's self useful so it will never change lol

PrivacyFreak · 05 Aug 2018

PrivacyFreak said:

... Only AhnLab, Emsisoft, and Vipre seem to respect user privacy...

Correction: Vipre does not transmit visited web addresses but does assign your system a unique identification number and transmit this number while also sending any suspicious documents and other non-executable files back to their servers for analysis. So, it's just AhnLab and Emsisoft that are privacy-conscious.

Kari · 05 Aug 2018

Rickerz said:

I have no need nor desire to use anything related to the "Cloud" scam.

Browsing these forums, you are using cloud services, loading content from cloud (servers) to your local machine. When you save anything to DropBox, Google Drive, OneDrive and such, you are using cloud. When you check your emails, they are shown to you from cloud.

Of course I understand that occasionally, all of us feel it important to dramatize our statements to stress certain facts, but to say you don't use cloud and call it scam is the same as if you said you do not use any computers and mobile phones and other such devices.

Rickerz said:

How could a cloud-based protection be more proactive?

It really is. This quote from tutorial Enable Windows Defender Block at First Sight in Windows 10 | Windows 10 Tutorials:

When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.

If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file.

In many cases this process can reduce the response time to new malware from hours to seconds.

Kari