its supposed to use the cloud to check a setup when its installing
are you sure the malware is detected by the cloud not the local signatures?