Related Articles

Special Report
Building "Synergistic" AV
Signature scanners aren't enough to combat today's multivector viruses and worms.
More

Special Report
Command and Control
Centralized management solutions provide enterprises with a bird's-eye view of AV defenses.
More

Special Report
The Future of Malicious Code
Predictions on blended threats, e-mail exploits, social engineering and more.
More

Special Report
Combating Nonviral Malware
Combating Nonviral Malware - Trojans, sniffers and spyware, oh my!
More

Special Report
Cyber-Menace
A six-part Information Security Special Report on the growing virus problem--and what to do about it.
More

May 2002

Special Report

7 Things You Should Know About AV

When it comes to fighting viruses, don't assume the "standard" way is the best way.

BY Rob Rosenberger

Have you seen that cute screen saver of the Budweiser Frogs? If you do, be careful, 'cause if you download it, you'll lose everything! Your hard drive will crash, and someone from the Internet will get your screen name and password!

This is one of the hundreds of computer virus myths, hoaxes and urban legends I've dispelled on my Web site, vmyths.com. Seems like every day, there's a new hoax circulating on the 'Net, duping users into spamming their friends and relatives with bogus alerts that advise them to "SEND THIS TO EVERYONE YOU KNOW IMMEDITATELY!!!"

While most IT security managers recognize the tell-tale signs of a virus hoax, many of them operate under mistaken assumptions about the best ways to fight viruses--including what their AV software should and shouldn't do to help.

1. We're addicted to antivirus updates--and shouldn't be.

We used to inject our PCs with an AV update every quarter, and it felt great. Then we needed a monthly "fix." Next, experts recommended AV updates on a weekly basis. In 1999, users were urged to download an update every single day in preparation for the much-hyped "Y2K viruses." And by May 2000, vendors were telling us to update AV software multiple times per day to deal with all the LoveLetter variants.

Recommendations have returned to weekly AV updates (in "normal" situations), and this may help those of us suffering from a pseudo-syndrome called "addictive updating," triggered by the mildly euphoric sensation we get after obtaining the latest AV update.

AV vendors don't like to point out this addiction, but it's there. In most cases, updating desktop AV daily or even weekly offers only a small increase in effectiveness over updating monthly.

2. Users blame everything except AV software when a virus spreads out of control.

AV software occasionally fails. Yet everything but the software is blamed when a virus gets through and costs enterprises in cleanup expenses and lost productivity.

Security experts blame Microsoft OSes and faulty application software, which is like blaming Boeing for making a flying bomb. Enterprise administrators blame users for failing to recognize a .vbs attachment, even though the AV software also failed to recognize it. Companies order employees to keep an eye out for infected e-mails that an AV product allowed into the network. That's like asking airline passengers to hunt for a terrorist who brazenly walked past a security checkpoint.

Society recently demanded a complete overhaul of inferior airport security. Yet few organizations are demanding better antivirus software from the AV vendors.

3. Better AV technology exists, yet customers won't use it.

Few users remember the days when AV software used "profiling" to detect viruses. Experts call it "heuristic detection," and AV firms use advanced heuristics techniques to keep their own networks free of viruses. Most AV products include some heuristics capabilities, but AV vendors are reluctant to market this technology. Why? Because customers fear change.

Pressure a firm's computer security manager for an explanation, and he or she may very well proclaim, "The cure is worse than the disease." In other words, it costs less to clean up after a virus than to finely tune heuristics software to keep the virus out of the network in the first place.

Few people know that better AV technology exists for one important reason: computer magazines don't like to review heuristic-based AV software. It's much easier to review a "virus scanner" than a "virus profiler."
 
4. Firms can outsource their most important AV headache, yet most don't.

The concept of a "managed firewall service" has grown in popularity. Many firms have discovered it's a major headache to take care of a firewall and are willing to pay outside professionals to do it for them.

If we can outsource the management of firewalls, can we also outsource the management of e-mail security? The answer is a resounding "yes." Companies can hire a firm to scan both incoming and outgoing e-mails for spam and viruses. By judiciously setting a few domain records and firewall parameters, an admin can make sure every e-mail goes through the hired helpers.

Managed e-mail security firms include MessageLabs (http://www.messagelabs.com/), Brightmail (http://www.brightmail/. com) and AvoCon (http://www.avocon.com/). Companies already using a managed firewall service should see if their provider can manage e-mail security as well. The truly bold might even consider outsourcing all things e-mail and giving the Exchange administrator a new job.

5. Users generate comprehensive Web server reports--but they can't generate an AV report.

Web site metric utilities have grown immensely since the late 1990s, with Webmasters typically logging every visit and generating all kinds of reports for their bosses. Companies pay big bucks for Web traffic analysis tools with eye-popping charts and graphs to illustrate the number of visitors, pages viewed and e-commerce generated. Webmasters archive their log files for posterity, too.

Compare this to virus metric utilities, which don't exist. Viruses were big 10 years before the Web came along, yet few virus fighters today can generate a single chart for their bosses. Indeed, few virus fighters can tell you what a chart would even look like.

Sure, AV software keeps an activity log, but most AV programs will limit the file size by default. Old data gets overwritten so it won't fill up a hard disk. Nobody really bothers to store this data for posterity. And why should they? No virus metric utilities exist to study the data.

Ironically, AV industry surveys rely on input from security managers who can't accurately describe the tactical and strategic virus problems in their own firm. Virus fighters themselves will sometimes fall prey to urban legends, because little or no evidence exists to contradict their beliefs. AV vendors worry that AV reports would force them to add more code to their products. Besides, users aren't asking for this capability, so why go through the effort of giving it to them?

6. AV vendors recommend changes to PC settings for security reasons, yet AV software won't make those changes for users.

Virus experts regularly tell users to make changes to their PC settings for security reasons. But today's popular AV software won't make these changes for them. For instance, the Melissa virus swamped the Internet in 1999 because AV software didn't make recommended changes for Microsoft Word users. Three years later, nothing has changed.

Here's why vendors still only recommend, rather than automatically alter, settings: Users only see AV software as a reactive technology. Any proactive capability may lead users to start blaming AV software in the future for failing to stop viruses (see #2).

Also, AV programmers must devote extra effort to write and maintain the extra code needed to change security settings. Some, like Network Associates' McAfee AV line (http://www.mcafeeb2b.com/), are moving into the vulnerability assessment arena, but McAfee products still fail to include code that automatically seals holes later exploited by viruses. Again, users apparently aren't asking AV vendors for this capability.

7. AV software contains many unexploited vulnerabilities.

Research published in 1999 and 2002 (including work done by the author) shows that virus writers can easily exploit vulnerabilities in AV software. Thus, it's possible that the more AV protection a user has, the more he is exposed to security vulnerabilities. Thankfully, virus writers don't (yet) bother to exploit AV software vulnerabilities.

AV vendors don't like to admit to the vulnerabilities in their products for three reasons. First, reporters love to write about security flaws in security products-including AV software. Who wants that kind of coverage? Second, the media exposure might give crackers the idea to attack users via their AV software. Third, the media exposure might convince large firms and government agencies to avoid AV software with a history of publicly announced vulnerabilities.

By keeping it quiet though, vendors can fix those flaws without the users' knowledge by incorporating new code in the next update. Any such threat will go away when addicted users unwittingly download their next fix.

ROB ROSENBERGER (rob@vmyths.com) is editor of vmyths.com.