Microsoft Details Anti-Malware Cloud-Based System

John Lister's picture

Microsoft says it used artificial intelligence to not only spot and identify and attempted malware attack, but to block it more than a thousand times in the next half hour. It says the defense was possible thanks to Windows Defender being used locally on the victim's computer, as well analyzing the snippet of code using cloud-based antimalware.

The company calls it an example of machine learning. This means computers are able to figure things out for themselves, rather than simply following 'true or false' routines that are part of a program. Similar to antivirus, the most basic level of anti-malware protection simply scans a computer looking for files that are already known to be malware. However, more sophisticated defenses such as the 'machine learning' approach provide the ability to decipher characteristics of potentially malicious software.

Decision Tree Shows Risk

The first line of defense came on the computer belonging to a Windows 7 user in North Carolina. Windows Defender spotted something was amiss by looking at the code in an unfamiliar file and, before it could be opened, simulating what would happen if the file was executed. (Source:

The next step was running a decision tree. This meant looking at various characteristics of the file and giving each a probability rating for how likely it was to mean the file was malicious. Windows Defender then crunched the numbers on various combinations of these individual probability ratings to give an overall rating.

Online Analysis Far Quicker

Once Windows Defender decided that the overall chances were that the file was malware, the online ("cloud") element kicked in. Microsoft's cloud computers then carried out assessments that were similar in principle to Windows Defender on the PC, but with the ability to crunch data far more quickly and drawing on a bigger database of previous confirmed malware.

According to Microsoft, it was took less than a minute from Windows Defender first spotting the file to reporting it to the Microsoft computers as a potential risk. The online analysis then took a matter of seconds before sending out a message to Windows PCs worldwide that the file should be considered compromised. That meant computers could block the file without needing to analyze it locally. (Source:

What's Your Opinion?

Are you impressed by the way the security tools worked in this case? Do you rely on Windows built-in security or do you use third-party tools? What improvements would you like to see to the security tools you use?

Rate this article: 
Average: 5 (6 votes)


Dennis Faas's picture

This case study demonstrates the power of cloud computing. Normally it might take days to 'crunch the numbers' to provide a deep analysis of data, but cloud-based servers are able to do it in a matter of seconds. These cloud servers are in fact clusters of very powerful computers linked together to form a super computer. Each computer in the link processes part of the job and eventually all the computers combine to provide the result. This is also similar to how IBM's "Watson" computer works. Very impressive indeed!

trbruce_9594's picture

So the big question in my mind is how long and how many committees does Microsoft need before they can apply this, sounds like a no brainer but recognize that MS has it's own bureaucracy to wind through before a decision gets made.

Stuart Berg's picture

What if this were implemented at the levels above individual computers? In other words, what if company networks and all ISPs implemented this? Then, since all individual computers would be unable to receive or propagate malware, they are protected without implementing it on billions of individual computers. There would be no benefit for malware developers to create their nasty software.

Dennis Faas's picture

This is a nice idea but not viable. Telecommunications companies are not computer science geniuses capable of analyzing, fixing, or patching operating systems. This has everything to do with detecting malware that is capable of running an exploit in an operating system (usually with elevated permissions) and delivering an infected payload, versus using hardware to deliver data from A to B. These are two completely separate issues.

Doccus's picture

there's a dark side too. OK, i love the fact that the cloud protection can analyze a local computer and if suspicious send a warning or a patch to every windows PC worldwide. In a matter of seconds, no less. I mean, right now, if I find a suspicious file, it has to be submitted to the AV manufacturer for analysis, and if bad, they send out a warning and then an update. A fast AV company can do this in only a day. I don't know how Win Defender worked if it found a suspicious file, likely somehow it submitted it to MS. A day,again, I suspect. This new procedure takes seconds.
But, what if it finds an "illegal" file on the PC? Maybe with a suspect serial? OK, I don't condone cracking, but the point is it might be mistaken.. Even so, it can send a signal to all the PCs worldwide and shut down that particular application. Or, if it finds some kind of app that allows for anonymous browsing, or perhaps some kind of snoop blocker to prevent the PTBs from invading one's space.. It can then send a signal to all the PCs too disable that app. An AI can identify pretty much anything you ask it to, after all. Any time you place power over people in the hands of the few, you can be sure it will eventually get misused, against the majority.
Or, have I misunderstood the capabilities of this new system?