Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

As read by the author

Better antivirus software is worse than a virus?

As read by the author Rob Rosenberger, Vmyths co-founder
Wednesday, 11 June 2003

LET'S MAKE ANOTHER important observation about antivirus software.  I'll use Network Associates as a typical example.

Anti­virus firms could sell much better soft­ware if the pub­lic wanted to buy it ... but there's the rub.  Cus­to­mers don't want better anti­virus soft­ware.
In fact, they abhor it.
When the Melissa virus struck on 26 March 1999, Network Associates never once went offline.  They never delayed a single email to their employees.  Network Associates didn't release an update for their antivirus software until the wee hours of 29 March, yet they still automatically identified & quarantined all of the infected Melissa attachments sent to their employees' email addresses.

We can (correctly) assume Network Associates enforces a strong generic email security policy.  We can (correctly) assume they won't let employees send or receive certain attachments, for example.  But a strong email security policy doesn't explain how they could automatically identify & quarantine a virus when their own products couldn't even detect it.

Network Associates uses their own antivirus technology as a matter of corporate policy.  Ask yourself: how could they automatically identify & quarantine a virus when their own products couldn't detect it?

Answer: Network Associates uses a more-powerful antivirus technology than they sell to the public.  So does Symantec.  Sophos and Kaspersky Labs almost certainly do, too.  They've used it for years.  They could sell much better antivirus software if the public wanted to buy it ... but there's the rub.

The public at large doesn't want better antivirus software.  In fact, they abhor it.

The public at large believes antivirus software must fail to stop some viruses.  Any antivirus product that does not fail to stop some viruses is viewed as "worse" than the virus problem itself.  Indeed, the computer security experts at your firm may be among those who believe the cure (better antivirus software) is worse than the disease (viruses).

These believers — these apotemnophiliacs — would let viruses run rampant on their corporate networks before they'd give up inferior antivirus technology.

These believers influence the public at large and you'll find them scattered all throughout the IT industry like a noxious weed.  GartnerGroup's analysts, for example, have long acknowledged the existence of better antivirus technology, yet they urged their clients for years to stick with "tried and true" products that they admitted would fail on a routine basis.

(Hmph.  GartnerGroup charges big bucks for each shallow-thinking antivirus analysis they publish.  Then they read every insightful analysis we publish for free at Vmyths.  Then GartnerGroup's analysts change their opinions.  Then GartnerGroup charges more big bucks for each revised analysis they publish!)


SAY IT OUT loud: "the cure is worse than the disease."  It sounds absurd, doesn't it?  And yet the public at large believes it.

Society be­lieves anti­virus soft­ware must fail by de­sign.  Any­thing that does not fail by de­sign is "worse" than the virus prob­lem itself.
The public at large knows antivirus software will fail to do its job on a routine basis — yet they'll gladly buy antivirus software.  Society blames everything but the antivirus software when it fails to stop a virus.  Indeed, society applauds the antivirus industry every time they fix their broken software.

Of course, I predict society will someday grow tired of antivirus software that fails to stop some viruses by its very design.  Society will someday grow tired of the "addictive update model."  They'll someday demand better antivirus technology that doesn't require constant updating.  (And mark my words: Air Force CIO John Gilligan and former White House flunky Howard Schmidt will lead the charge.  They're already spouting the very words I've said for six years now.)

You can see a kernel of frustration over "current" antivirus technology if you know where to look.  For example, About.com network expert Tony Bradley recently griped about it:

The entire model of developing a signature for the new threat and adding it to the database of detected threats will eventually become too cumbersome in my opinion anyway.  Currently the weekly SuperDAT update from McAfee, which includes both the updated virus database as well as an updated detection engine, is about 5Mb in size.  New viruses are detected weekly and sometimes daily.  Eventually this file may be 10Mb, 50Mb or 100Mb.  Not only will it become too daunting for users to download each week, but it may significantly affect the performance of your computer if it has to verify all network traffic against this database.

This method also means that the security experts and antivirus vendors are always one step behind the malicious code writers.  It is a reactionary model where nothing is done proactively.  The virus writer gets the first move and if it's a good one it can cause major damage before the antivirus community can develop an effective response.

I can't tell if Bradley recognizes his addiction to antivirus updates, or if he just almost recognizes it.  Still, he can see what the future holds for his addiction, and I'll give him serious credit for it.  Bradley knew enough about antivirus software to discuss "heuristic" (aka proactive) virus detection methodologies in his opinion piece:
Most antivirus software performs heuristic scanning as well which can detect some unknown threats.  Heuristic scans attempt to detect virus or worm activity by comparing traffic against past virus-like activity and looking for behavior that is anomalous or out of the ordinary.
Unfortunately, Bradley quickly fell into the same trap GartnerGroup analysts long occupied when he proclaimed "heuristic scanning is far from perfect though and doesn't catch a lot of new viruses."  Bradley — like the other believers out there — assumes better antivirus technology doesn't exist.

Gartner­Group's ana­lysts have long ack­now­ledged the exis­tence of better anti­virus tech­nology — yet they urged their clients for years to stick with "tried and true" pro­ducts that they ad­mitted would fail on a rou­tine basis.

LET'S RETURN TO the Melissa virus in 1999.  The folks at Leprechaun (an antivirus firm in Australia) emailed me with some trepidation.

They wanted to let me know their antivirus product didn't need an update to detect the virus — but they had to issue a placebo update to calm a majority of their own customers who refused to believe the truth!

Need another example?  MessageLabs emailed me at the height of the Nimda virus hysteria in 2001 to brag how effortlessly they could detect it:

Nimda attempts to spread itself in so many different ways, that I would have been very, very unhappy if Skeptic [their flagship heuristic scanner] had not detected this...  Skeptic detected three components of Nimda which caused it to immediately stop the virus.  Two of these components were detected by the exploit detector.  These were both exploits that had been published for a long time, and that had been used in previous malware.  The third component was detected by the code analyser — Skeptic detected that the executable showed virus-like activity.
Memo to Tony Bradley: MessageLabs offers a 100% virus detection guarantee or your money back.  I first mentioned their guarantee in a 2001 column.  Why not give 'em a try?  Tell 'em Vmyths sent you and you'll get your first month free to test it.

Heh heh.  I'm joking about the free month, but it wouldn't surprise me if they made good on my faux offer.  [Editor's note: Vmyths refuses to run ads for antivirus products & services in order to maintain our independence.]

MessageLabs' bragging led me to make a savvy observation in my column:

I'd normally gloss over the fact Skeptic only detected Nimda three ways better than today's popular antivirus software...  I infer their heuristics didn't detect other obvious aspects of Nimda, and it leads me to believe Skeptic needs an upgrade.  But like I said, I'd normally gloss over this minor shortcoming — because Skeptic didn't require an update to detect Nimda.  If your antivirus product needed a patch, then you need a better antivirus product.
I published that comment in 2001.  Bradley claimed "heuristic scanning ... doesn't catch a lot of new viruses" in 2003.  No offense to Bradley, but he obviously needs a better antivirus product.

I spoke by phone with MessageLabs CTO Mark Sunner while writing this column, and I spoke by phone with Network Associates bigwig Peter Watkins in 1999 to learn how they stopped Melissa from invading their own computers.  No offense to Bradley, but who did he talk to while writing his column about antivirus technology?

"The cure is worse than the disease."  It sounds absurd, doesn't it?  And yet the public at large be­lieves it.

WHEN SOCIETY FINALLY demands better antivirus technology, I predict the global antivirus cartel will stand up as one and shout "eureka, the state of the art has advanced, and just in the nick of time!"

I'll back the industry 110% when their marketers lie to Bradley about the "sudden" technological advancement in antivirus software...