Server-side Virus scanning presented at HackLu 2008

by Dumitru Codreanu,

Summary : Long are the days when antiviruses featured as little as few hundreds of virus signatures in their databases with vendors literarily begging for samples or trading with other vendors. The signature databases have exploded since then reaching 1-3 millions of signatures depending on vendor. No wonder this happens, since most of the signature creation is automated loads of signatures are created for polymorphic viruses, malware packed with different packers, server generated viruses, etc. Vendors are having hard time getting enough human resources to analyze in detail all the samples coming into the labs daily, so quite a lot of the signatures have to be trusted to automatic systems. While proactive detection is a good way to go through heuristics, emulation or other techniques developed and implemented recently, the truth is that signatures will keep coming at even higher rates. All in one, this flow of signatures puts heavy load on the internet traffic to deliver the updates to the clients. With this in mind, many vendors feel that this might become a problem soon. "In the Cloud" scanning could solve some of these problems - the process of scanning files on servers rather than the client's machine. The concept is not new, and in spite of the several obvious benefits such as additional information to monitor virus activity and point of origin, better response time to new threats, instant signature updates, etc, the internet traffic issues renders this method inapplicable for even the basic purposes. We have analyzed a modified version of this concept, one in witch both the client and servers participate to perform the scan. While the servers keeps the heavy parts, such as the signatures as well as a very large database of checksums of clean and infected items, the client does some of the scanning steps himself, leaving the other ones to the server. This reduces the traffic between the client and the server since the files are not sent to the server, and the client doesn't need the signature database. Now that only very little information is being sent to the Cloud for every file, the last and decisive factor that comes in play is the number of scanned files vs number of signatures, for only when the number of scanned files is low in comparison to the number of signatures does it prove to be more efficient to use the server's database than to download the signatures on the client. In this presentation we will focus on one application of this approach available today. We analyzed the possibility of dropping a very light component on the client's machine that will scan only the running processes to perform a very fast assessment of whether there are any active threads to the system. The key argument is that a system has far less processes actively running than signatures; hence downloading them just for this purpose would be a tremendous waste of internet traffic. We will show that, in spite of some drawbacks, there are also some nice benefits such as not needing unpacking code on the client at all and zero day packers no longer being a great of an issue, and a total of just 10Kb traffic for the whole scan of a typical home computer done in hardly ever more than a minute sure sounds appealing.