Microsoft Morro to proxy Internet traffic? Not likely.

A blog post at PC World by Frank Ohlhorst implies that Microsoft’s forthcoming free anti-malware product, Morro, will proxy users’ Internet traffic:

Morro will work by routing all of a users Internet traffic to a Microsoft datacenter, where the Morro application will process the traffic and identify and block malware in real time, by examining all of the rerouted traffic.

This seems very unlikely. First, the technical challenge of handling, and analyzing in real time, the Internet traffic of hundreds of millions of Internet users would be outrageous. Second, this would have tremendous privacy implications, and Microsoft has recently been pretty good at staying out in front of such issues.

An intern here at the Berkman Center e-mailed the article’s author to question his characterization of Microsoft’s new service. Ohlhorst answered that the Windows-based client would route traffic to Microsoft’s servers for analysis and back to the client, similar to "how Panda’s hosted security works."

I suspect Ohlhorst is referring to Panda’s Cloud Antivirus. If so, the comparison is probably closer to the truth than his explanation of it. Panda’s service has a client that monitors the PC for new processes and, when one is found, sends a cryptographic hash of the executable up to "the cloud" to learn whether the process is malware. This is, at least in theory, more efficient and effective than each client downloading definitions each day. Several AV products from other vendors use some variation on this theme, sending hashes, URLs, or sometimes even entire suspicious executables to a central server for analysis and/or checking against an updated block list. My educated guess, from what I’ve heard about Morro and seen elsewhere, is that Morro will do something similar, but will not route all of a user’s Internet traffic to Microsoft.