Why 'in-the-cloud' scanning is not a solution

Maik Morgenstern AV-test
Andreas Marx AV-test

Currently, 'in the cloud' services are praised as the Holy Grail and the future of AV scanning. While such systems, built on both blacklisting and whitelisting approaches, can definitely increase detection rates and response times to new malware, this paper will show that current systems still have quite a lot of limitations:

  • The implementations are not proactive, but reactive in nature, despite better response times to new threats.
  • While detection rates are maximized (which looks good in test results), the risk of false positives is increased.
  • The results of 'in-the-cloud' scanning can be based on much more input data of both good and malicious files, but causes an additional performance impact on the client-, network- and server-side.
  • Due to the time required to answer a query, only on-demand scanners and files which are executed are checked, but not all accessed files (as a 'traditional' on-access guard would work).

Our paper will also look at factors such as the limited caching of results, how data is transferred (e.g. via http, https or dns requests) as well as the privacy (e.g. what kind of data is submitted?), security (e.g. can responses be manipulated?), reliability and fault tolerance (e.g. what happens with a broken Internet connection?) issues of today's 'in-the-cloud' implementations by the different AV companies.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.