McAfee touts "cloud-based" malware defense system

McAfee Monday is announcing a change in how it delivers malware-signature software updates that it says should result in much speedier fixes.

Instead of only waiting to distribute signature updates after a daily analysis of collected malware samples, McAfee via its new McAfee Artemis Technology method is making changes to its existing software so that if suspicious and as yet-unidentified harmful code is detected on the customer's machine during surfing or in some form of download, a process will occur in which that code will be collected and instantly uploaded to a McAfee analysis point for automated review.

"You will be delivered a signature update on the fly," says Dave Marcus, director of security research and communication at McAfee Avert Labs.

The move is part of a growing "cloud-based" antimalware movement also embraced by competitors F-Secure and Trend Micro in an effort to handle exploding malware volume.

"There are 3,500 pieces of malware every day," Marcus says. "We expect 2007 to 2008 to show a three-fold increase."

The term cloud-based refers to the idea that the vendors are relying more heavily on what's happening at any moment across the Internet and responding in as close to real-time as they can.

McAfee will continue collecting samples and deliver signature updates in what can be up to a two-day gap once malware is collected and identified. But the security firm is counting on speeding up protections by monitoring for dangers associated with as-yet-unidentified suspicious code that customers encounter in their computer activities. (Compare antivirus products.)

In some instances the user will receive a screen alert warning them that they've encountered malware and that a security remedy is being delivered to protect the user's machine. While this will be a new experience for the customer, Marcus says it shouldn't result in delays in computer use. Also, customers don't need to make any changes or upgrades to their McAfee software to receive the new antimalware support.

Competitor F-Secure says it's also taking a cloud-based approach to signature updates with its new Internet Security 2009 software.

Signature-based response can be a "very reactive mode," says David Frazier, director of technology services at F-Secure. "We can only push out signature updates every two to three minutes, mostly through an automated analysis. But the Storm worm, for example, is changing every half minute."

F-Secure says its process now entails making a digital hash of a file found in real-time on a user's machine and shooting it over to any one of several analysis centers that F-Secure operates worldwide to instantaneously analyze the file to determine if it's malware.

If so, an automated update would be delivered to the user's machine for protection. F-Secure is reluctant to take a file from a user without the user's consent, Frazier says, so making a digital hash of it — a unique mathematical copy — is the process that the company prefers.

Separately, Trend Micro has announced a cloud-based service approach based on a hash sample, but isn't expected to launch it until year-end.