Panda Cloud Antivirus

 

We’ve been getting a lot of positive feedback from the community regarding Cloud Antivirus. Thanks to all for downloading, testing, and using it. Of course there are many questions that are being answered through this blog and via comments, but as not all users read through the comments, I thought I’d compile a list of the most important and most common questions as well as answers. The list is comments/questions is the following (scroll down for the answers):

• Why isn’t there a 64bit and Windows7 version?
• Will Panda Cloud Antivirus continue being FREE after the beta is over?
• Do I need to run a different antivirus at the same time as Cloud Antivirus?
• Am I still protected when I’m not connected to the Internet?
• After installing Cloud Antivirus I scanned my PC and it took a really long time. What’s up?
• Are my files being sent to the cloud for scanning?
• What exactly is sent to the cloud?
• Cloud Antivirus detected a Trojan and deleted it. How can I get it back?
• Why can’t I choose delete/block/ignore when it detects a Trojan?
• Can I run Cloud Antivirus alongside my Norton360/AVG/Etc.?
• Scan stuck at x%.
• I have 2 monitors and Cloud Antivirus always appears right in the middle of both.
• Since I installed Cloud Antivirus my system has *really* slowed down to a crawl.
• I’m having problems downloading the Cloud Antivirus installation program.

 

 

Why isn’t there a 64bit and Windows7 version?

Basically we wanted to get Cloud Antivirus out there and tested as soon as possible to validate the new philosophy and protection model. Supporting additional configurations was less of a priority than seeing if the model is truly valid or not. However we’re seeing that by popular demand this is the #1 request we’re getting so we’ll re-think our priorities and try to release these builds as soon as possible.

 

Will Panda Cloud Antivirus continue being FREE after the beta is over?

YES. Absolutely. 100%. Free.

 

Do I need to run a different antivirus at the same time as Cloud Antivirus?

No. Cloud Antivirus provides all the protection you need from viruses, malware, etc. Also it is not recommended to run 2 different AV engines at the same time as they can conflict with each other.

 

Am I still protected when I’m not connected to the Internet?

Yes, you do not need to be connected to the Internet all the time in order to be protected. Cloud Antivirus stores a “local cache copy” of Collective Intelligence for offline operation. As soon as you disconnect, Cloud Antivirus still works in the background, checking every file against its local cache of detections. This local cache includes, amongst other things, detection for all malware files which are currently in circulation and affecting users.

After installing Cloud Antivirus I scanned my PC and it took a really long time. What’s up?

If you run an on-demand scan of your entire system right after installing Cloud Antivirus you will experience this slowness because both the initial Background Scan and the on-demand scan are running simultaneously. Panda Cloud Antivirus runs a Background Scan after installation. During this Background Scan Cloud Antivirus does a review of the entire PC by scanning it and by filling up its goodware cache (checking known good files against the cloud) in order to optimize future scans. Simply allow Cloud Antivirus to finish its Background Scan before launching a full system scan. If you are experiencing problems after that, please export your Windows Event Log for Cloud Antivirus (My PC, Manage, Event Viewer, Nano, right-click & Save as) and send it to us at beta@pandasecurity.com.  

 

Are my files being sent to the cloud for scanning?

No. Absolutely no files and no personal information is sent to the cloud. Also only PE files (.EXE, .COM, etc.) are checked against the cloud. Non-PE files such as pictures, documents, etc are not scanned from the cloud.

 

What exactly is sent to the cloud?

For any PE file that is checked against the cloud, we create multiple cryptographic hashes. Amongst them is what we call a “reverse signature” of the file. This reverse signature is able to identify multiple similar files. The response from the cloud can be “malware”, “goodware” or “unknown”. Also we send “behavioral traits” of files to be scanned heuristically remotely by the cloud. These are basically properties and characteristics of each file. In summary, no content and no personal information is ever sent to the cloud.

 

Cloud Antivirus detected a Trojan and deleted it. How can I get it back?

Cloud Antivirus is pre-configured to automatically delete malicious files. However suspicious files and certain types of grayware (hacking tools, potentially unwanted programs, etc.) are not deleted automatically and sent to the Recycle Bin (quarantine). To access the Recycle Bin, click on the folded bottom right corner of the Cloud Antivirus program. From there you can unblock detected files and get access to them again. Keep in mind that, once unblocked, these will not be detected again by Cloud Antivirus. However if the file that was detected is a true malicious file such as a Trojan, it will be deleted automatically and there’s no way to get it back (after all, you’re installing Cloud Antivirus to get rid of malware, right?).

 

Why can’t I choose delete/block/ignore when it detects a Trojan?

As an antivirus program, the main thing that users ask for from us is that we detect and get rid of malicious files without bothering them. This is exactly what Cloud Antivirus does, keeping everything as simple and straightforward as possible. This is what we’re trying to do with the new protection model of Cloud Antivirus, to manage all these decisions for end users automatically. However we are getting some feedback from advanced users to have this functionality included. We’re thinking about how to approach this but one way would be to activate an “advanced mode” and while in that mode maintain an encrypted copy of every detected file in the Recycle Bin (at least for x amount of max time) that can be recovered if needed. Comments about this approach are welcomed.

 

Can I run Cloud Antivirus alongside my Norton360/AVG/Etc.?

No you can’t, just as you can’t (or shouldn’t) run two or more different antivirus programs at the same time. The Cloud Antivirus installer identifies a large number of AV programs and will stop the installation if it detects one running. However there are reports of some users that have been able to install Cloud Antivirus running at the same time as lesser known AV programs such as Spyware Doctor Antivirus. In these cases you might experience slowness or slugginesh of the Operating System. To resolve this issue simply uninstall one of the two AV programs.

 

Scan stuck at x%.

Issue 1: This is a bug of the interface transparency effect. It’s not really a bug with the scan itself; rather it’s a bug on the interface painting actions. It occurs when, during the scan, the screensaver kicks in or the user session is closed. After coming back to the scan window, the impression is that the scan is stuck. However if you click on the scan window and drag it you can see that the scan is finished or still progressing.
Issue 2: We have had some reports of stuck scans which are not due to the interface transparency effect. If you are experiencing this problem, please export your Windows Event Log for Cloud Antivirus (My PC, Manage, Event Viewer, Nano, right-click & Save as) and send it to us at beta@pandasecurity.com.

 

I have 2 monitors and Cloud Antivirus always appears right in the middle of both.

Yes this is a reported and known bug. We’ll fix it as soon as possible.

 

Since I installed Cloud Antivirus my system has *really* slowed down to a crawl.

See the FAQ above about running Cloud Antivirus in parallel with another AV program. If this is not the case and you still experience slowness of the Operating System in general, please contact beta@pandasecurity.com and send us the details of your configuration.

 

I’m having problems downloading the Cloud Antivirus installation program.

Delete all temporary file from your browser and try downloading again from www.cloudantivirus.com.

 

 

If you’ve read the introduction to Panda Cloud Antivirus and have come this far, you’re probably interested in “seeing” how this new approach to protection works, not just reading about it. We have enabled certain functionalities which you, as a tester, can use to “see” what Panda Cloud Antivirus is doing behind the scenes.

 

Turning Advanced Logging On/Off

One of the most important things to take into consideration while testing Panda Cloud Antivirus, especially against malware samples and its on-access scanner, is that the traditional on-access scanner has been replaced by 3 new types of interception techniques: OnAccess, OnPrefetch and OnBackground. As each of these operates at different priorities and risk situations, their final actions are not always immediately visible as you would expect from a traditional on-access scan. For example if you copy a directory full of malware samples from one drive to another (or from one directory to another) you will not experience an immediate block of the system and detection and disinfection as the copy operation occurs, as in this scenario an OnPrefetch Scan would be scanning these files asynchronously and using idle CPU times.

In order to give visibility of what is happening exactly behind the scenes, we have created 2 registry entries which can be tweaked to turn advanced logging on and off. Simply download and run the registry files below and run them. Make sure the directory C:Logs_CloudAV exists or replace with your choice of path in the REG file. We suggest you create a specific directory for it as multiple log files will be created, one for every time the service is started. A reboot or service restart will be required for Panda Cloud Antivirus to start logging.

 

Understanding the Log

The log file is basically a CSV file with the following fields:

TimeStamp: Time stamp of the event
JobID: Internal engine ID of the event
Profile: ID of the configuration profile with which the event has been executed. Different types of events use different profiles in order to apply a specific configuration.
Date: Complete date and seconds of the event.
JobType: Type of job. Can be AnalysisRequest, AnalysisResult or ActionResult
TaskType: Type of scan that generated the event: OnDemand, OnBackground, OnPrefetch, OnAccess
File: Full path to the file in question
Result: Result of the task. In the case of an AnalysisResult event will indicate the malware classification. In the case of ActionResult indicates the action taken.

In the following sections we’ll take a more in-depth look into some sample detections and how they can be interpreted by looking at the log file.

 

On-Demand Scan of a Folder

In this scenario we’ll launch an on-demand scan of a folder which has a combination of clean files with infected files. This example generates an OnDemand AnalysisRequest over all the elements inside the directory. An enumeration of said directory is performed and all objects found will be scanned with the OnDemand task. Of those found to be malware Cloud Antivirus will act upon (delete or disinfect).

A typical scenario while launching on-demand scans on a file or folder is the loss of Internet connectivity during the scan itself or simply no connectivity whatsoever. As Panda Cloud Antivirus is basing most of its detection technology on the cloud, it can be seen by the log entries how each file scan is throwing an error back, indicating loss of connectivity. Most detections while running an on-demand scan without Internet connectivity will be due to the local cache copy of Collective Intelligence and heuristics included in the agent.

 

On-Demand Scan of a Suspicious File

In this scenario we’ll launch an on-demand scan on a specific file. We’ll right-click the file suspect.dat which is classified as suspicious. In case of receiving a positive AnalysisResult the engine will throw an Action on the file.

 

Execution of a Malware PE File

In this test scenario we’ll execute a malicious PE file (files with extension EXE, COM, etc.). In this example we’ll double-click on the file EICAR.EXE which is considered malware and whose detection does not require connectivity to the cloud. As the execution of a file is an action which puts the security of the machine in danger, as soon as it is intercepted it is blocked and an OnAccess AnalysisRequest is launched. Depending on the result of the action access to the file is allowed or denied and a subsequent task is generated to neutralize the file.

In the next example we’ll repeat a similar scenario but whose detection of this particular malware file (MyFormatter.exe) is delivered from-the-cloud. In the following example we can see the reaction of the product against the execution of MyFormatter.exe.

 

Copy of a PE File

In this scenario we’ll copy a malicious PE file Eicar.exe to EicarCopy.exe. As a copy operation is not a high imminent risk to the PC the copy operation is permitted while an OnPrefetch AnalysisRequest is launched, anticipating its possible execution later on. If it is detected as malware, an Action will be requested on the file.

 

It is worth noting an error that may show up on the log (shown below) as a JobType “Cloud Error” which means that the communication between the Panda Cloud Antivirus agent and the server has failed, in this particular example during the OnPrefetch scan of the PE file GoogleDesktopResources_es.dll as the network connection was disabled on this machine.

 

Opening of a Non-PE File

This scenario consists of opening a non-PE file, in our case a Word document (mydoc.doc) which is not malicious. Opening a file, as executing a PE file, is considered a high risk action for the computer. Therefore the action is intercepted and blocked while an OnAccess AnalysisRequest is launched on the file.

 

 

 Copy of a Non-PE File

In this example we’ll copy a malicious non-PE file Achtung.doc to AchtungCopy.doc. As a copy operation is not a high imminent risk to the PC the copy operation is permitted and the default action is to launch an OnPrefetch AnalysisRequest on the resulting file. However in this case an OnAccess AnalysisRequest is launched on the original file as the Operating System needs to open a non-PE file in order to copy it to a new file. As we’ve seen before, the opening operation is considered a high risk operation and therefore an OnAccess AnalysisRequest is also launched on the file Achtung.doc. As it is detected as malicious, the copy operation is blocked.

 

With Panda Cloud Antivirus we introduce a new protection model based on a thin-client agent & server architecture which services malware protection as opposed to locally installed products. By combining local detection technologies with cloud-scanning capabilities and applying non-intrusive interception techniques on the client architecture, Panda Cloud Antivirus provides some of the best protection with a lightweight antivirus thin-client agent that barely consumes any PC resources.

Panda Cloud Antivirus is the first antivirus based on this innovative protection model which is based on two fundamental principles:

1. Automatic malware detection and remediation from the cloud in real-time.
2. The use of an ultra-lightweight thin-client agent.

Automatic Malware Detection & Remediation from the Cloud

One of the main pillars of Panda Cloud Antivirus is its real-time use of Panda Collective Intelligence, which is an online from-the-cloud system that automates the entire malware protection cycle; collecting new samples, analyzing, categorizing, creating detection and disinfection routines and delivering the protection to each node.

Thanks to this approach users do not need to worry about updating signature files anymore. In fact, detection of millions and millions of different malware variants is no longer limited by the size of a signature database, as Collective Intelligence can hold literally unlimited number of detections without consuming any memory on the users’ PC.

Another benefit of using cloud-based detection is that the time from detection to protection has been shortened a lot. It takes C.I. literally under 6 minutes to analyze and classify a new file that it receives.

An important aspect of Collective Intelligence is the use of correlation in order to further improve detection of new variants. By using information from the different nodes C.I. can protect against new strains of malware by correlating its activity from the first time it’s seen in one of the nodes. Therefore the community becomes the lab. The most users use Panda Cloud Antivirus, the better protected everybody is.

A Lightweight Thin-Client that Off-Loads the Hard Work to the Server

The client portion of Panda Cloud Antivirus has been designed from the ground up to protect PCs in a non-intrusive way. Basically we’ve redesigned the traditional on-access interception techniques to work on a slightly different way, adapting to users real needs of reduced performance impact while concentrating on the truly important aspects of protection when it is needed.

Traditionally AV engines have intercepted files and objects in multiple layers (entry vector, file system and execution). In each layer, each object is scanned by multiple technologies, such as antivirus signatures, rules, heuristics, behavioral analysis, etc. This redundancy of scans results in a degradation of user experience as the AV ends up consuming a lot of valuable PC resources and impacting global performance.

Even as a lightweight agent, Panda Cloud Antivirus provides excellent protection as it applies intelligent interceptions and scans of the files in the local PC based on Collective Intelligence and its local cache copy. It does this by implementing different types of on-access scans which are defined as follows:

• On-Access Scan. This is the maximum priority resident scan that is applied only to objects which are truly a security risk in a specific point in time: files which are being executed or used. The file is intercepted, prevented from running and disinfected if found to be malicious.
• Prefetch Scan. There are other elements such as files downloaded from the Internet which, while not being executed at a specific point in time, have a much higher risk and probability of being executed at any time. These files should be watched more closely than files which have barely any activity, as we can expect them to be executed, unpacked, copied or moved shortly. A Prefetch Scan basically launches an asynchronous local & cloud query on the file to scan it “as soon as possible” without impacting performance. Of course if any of these files is called to be executed, the file will be intercepted and an on-access scan will be applied to it.
• Background Scan. Lastly a normal PC has hundreds of thousands of files in its hard drive. Most of these files are not executing normally and simply just “sit there” until either the use double-clicks on them or they are called upon by another process. These are considered the least dangerous files from a security perspective. Panda Cloud Antivirus will continuously run Background Scans on these in an asynchronous manner while the PC is idle, without impacting performance at all. Of course if any of these files is called to be executed, the file will be intercepted and an on-access scan will be applied to it.

Panda Cloud Antivirus represents for us a new model for protecting PCs in a manner that users have been asking for a long time: without performance impact. We hope that you enjoy this technology beta and can share your experiences and test results with us, both in this blog in the form of feedback at www.cloudantivirus.com or by sending an email directly to beta@pandasecurity.com.

TIA

Today we’re releasing the public beta of Panda Cloud Antivirus, which is the first free cloud-based antivirus thin-client. It consists of a lightweight antivirus agent that is connected in real-time to PandaLabs’ Collective Intelligence servers to protect faster against the newest malware variants while barely impacting PC performance.

Thanks to Panda Security’s Collective Intelligence malware and goodware online database, Panda Cloud Antivirus detects more malware than traditional signature-based solutions which take longer to detect the most recent, and therefore most dangerous, variants.

With Panda Cloud Antivirus we introduce a new protection model based on a thin-client agent & server architecture which services malware protection as opposed to locally installed products. By combining local detection technologies with cloud-scanning capabilities and applying non-intrusive interception techniques on the client architecture, Panda Cloud Antivirus provides some of the best protection with a lightweight antivirus thin-client agent that barely consumes any PC resources.

Our objective is to release a solution based on this new protection model which helps solve the malware problem by improving user experience. After almost 20 years fighting viruses and malware we have changed our mentality at Panda. We would like to open ourselves to you and show you how we pretend to do things. In this blog we’ll explain in depth how this new model works in order to help improve it with you, our users.

As for the beta objectives, we’re interested in collecting information from betatesters, evaluators, testers, etc. that can provide feedback on how the new protection model works under different scenarios in order to help us verify it as a valid model and to adapt it to real life.

Of course keep in mind that this is still beta code and as such we continue improving and tuning both the cloud architecture and detection techniques as well as the agent architecture, specially now during the initial phases. We’ll progressively release new versions which you’ll be able to use as we improve the overall protection and user experience.

Feel free to download Panda Cloud Antivirus if you haven’t done so yet. For suggestions please use the form located at www.cloudantivirus.com and for submitting bugs please use beta@pandasecurity.com.

Safe surfing,

Pedro Bustamante
Senior Research Advisor
http://research.pandasecurity.com