Hoaxes, myths,
urban legends





About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Face it: we're a bunch of addicts

Rob Rosenberger, Vmyths co-founder
Tuesday, 26 October 1999 A ZDNN STORY about the latest Melissa variants piqued my interest. Reporter Jim Kerstetter offered a great overview of signature scanning vs. heuristics — yet his opening "farm" analogy makes me wonder if he understands Melissa's ultimate lesson. I want to give Kerstetter the benefit of the doubt, but I'll still nitpick a sidebar graphic on "protecting yourself" (shown at right, author unknown, possibly not Kerstetter). Courtesy ZDNN The first piece of advice urges readers to "install anti-virus software at the Internet gateway, on servers and on clients." Utterly obvious, everyone should take this advice, many don't, we can't stress it enough, blah blah blah. "However..." Let's remember an important point, folks. Melissa and its variants slipped past popular gateway antivirus packages. They slipped past popular email backbone antivirus packages and popular file server antivirus packages. These generic Word macro viruses also slipped past popular desktop antivirus packages which bind directly to email clients and monitor every file opened in Microsoft Word. Until recently, experts worldwide blamed Melissa's spread on everything except this one overwhelming vulnerability. I agree you should install antivirus software on gateways and servers and workstations — so long as you understand the obvious impact of this vulnerability. This leads us into ZDNN's second piece of advice: "update virus definitions daily." This helps to reduce the vulnerability. Recommendations over the years went from "quarterly" updates, to "monthly" updates, to "weekly" updates, and now "daily" updates. Think about the average Fortune 1000 firm for a moment. Do you believe the average security guru can convince an entire company to update on a weekly basis, let alone daily? Think of the LAN bandwidth it would take to support just 5,000 PCs every day. Or even every week. Now think of the Internet bandwidth antivirus firms already need just to support customer updates. Some people claim they need a better update capability than the average large firm can handle. Oh? These people probably base their "need" on the fact they can support the need. "I require weekly updates because I can get weekly updates. I require daily updates because I can get daily updates..." On the other hand, corporate experts find it difficult to justify faster updates. They deal constantly with employees who declare antivirus software a "nuisance" (and the Hey Macaroni! screen saver a "necessity"). Virus fighters occasionally stumble over PCs which run safely despite running for years with no antivirus software. Few users truly need a better update capability than Fortune 1000 firms can support. Still, people demand it. The world will need a lot more Internet & Intranet bandwidth if it wants updates on a daily basis. All this, just so the entire planet can retrieve antivirus updates more often.
Face it — we're a bunch of addicts waiting to score our next antivirus fix. We started injecting updates into our computers on a quarterly basis. Then monthly. Then weekly. Now ZDNN wants us to score a fix every day.
What next: hourly?
Ironically, many users remained vulnerable to Melissa for up to three days no matter how often they tried to update during that period. If Melissa proved anything, it proved you can't always update fast enough after the fact. This leads us to a philosophical question: "why must we update on a regular schedule?" Do security teams update the firewall software every Sunday afternoon? Do network administrators update WinNT server device drivers every Tuesday morning?
FACE IT — WE'RE a bunch of addicts waiting to score our next antivirus fix. It gives us a feeling of comfort, a feeling of elation, exactly like a drug. We injected updates into our computers on a quarterly basis, then monthly, then weekly. Now ZDNN wants us to score a fix every day. What next: hourly? We need to get over our addiction. It'll take effort. First we need to overcome our psychological urge to update antivirus software after the fact. Believe me when I say we can break this obsessive-compulsive behavior. Call it "heuristics" or "profile-based scanning" or "generic detection" or whatever. We actually can detect viruses the instant they exist. We actually can detect viruses before the fact. Don't let the addicts convince you otherwise.
"F-PROT, for example, was able to detect W97M/Melissa.A ... in its January '99 release."
-- Bruce P. Burrell, 'Virus Busters' team leader, University of Michigan "The fact is that Sophos started with this approach years ago before we had a virus-specific product. We had (and indeed still have) a utility called Vaccine. What we found was that customers don't like generic anti-viruses. It's actually the customers who have insisted on virus specific protection rather than the [antivirus] companies."
-- Graham Cluley, Sr. Technology Consultant, Sophos "Our product ... in fact [could detect and remove Melissa at least] four weeks before it hit."
-- "Bryan," technical support, Leprechaun Software
We actually can detect viruses before the fact. Don't let the addicts convince you otherwise.
(Other antivirus firms will want to chime in with a quote. "Hey, we detected Melissa before the fact too!" This link will eventually point to a collection of those quotes. Send 'em to me, guys!) This leads us to ask why we got so addicted in the first place. You'll find the answer here. We can deal with the rest of ZDNN's advice whenever we finally break our obsessive-compulsive behavior...