RE: Trend Micro's AV 'cloud'

["David Harley" <david.a.harley () gmail com>]

> Moving away from signature based AV and into the 'cloud'?
> Lots of people(smarter than me, no doubt) have made noises 
> about the slow death of sig based AV.

As far as I can see, this is still signature detection. It's just that the
location of the database has changed. In fact, it looks to me as if they're
throwing out several babies with the bathwater and relying on near-exact
identification, in the hope that their crawler will have picked up the
sample already so that there'll be a signature. 

If I understand the implications correctly, systems will gain speed because
(1) the agent only has one comparison run for each suspicious program, and
it's just a hash lookup
(2) new sigs will be available immediately to each system, since there's no
waiting for the new defs to be cascaded from Trend's servers to customer's
systems.

However, it doesn't look as if there'll be a heuristic detection or generic
signature to fall back on if the sig doesn't exist. But the actual
implementation might look quite different. 
 
> What do people think will be the future and what are people 
> investing in for their own/company protection moving forward.

Since I work for a competing vendor, I don't think I'll risk that one. :)

> Is this just Trend's marketing speak? Or real innovation?

Actually, it's a variation on a client/server model that's been used in AV
previously. But it's quite a bold stroke. Not one I'd be anxious to commit
to personally, though.
 

--
David Harley