Abstract

Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host-based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com-plexity has resulted in vulnerabilities that are being ex-ploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model en-ables identification of malicious and unwanted software by multiple, heterogeneous detection engines in paral-lel, a technique we term ‘N-version protection’. This approach provides several important benefits including better detection of malicious software, enhanced foren-sics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud an-tivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network ser-vice with ten antivirus engines and two behavioral detec-tion engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98 % detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly mini-mize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment. 1