Lock IT Down: Don't trust antivirus vendors to do all the work

Take a look at the shortcomings of antivirus vendors and their software and how to compensate.

At the recent Virus Bulletin conference in Orlando, FL, several representatives of major antivirus companies, as well as the organizers themselves, had similar messages embedded into their presentations. The messages boiled down to this: “Trust us; we’re the experts.”

Unfortunately for these people, the general response from the corporate component of the audience was, “Thanks, but no thanks.” By the time the last presentation was given, some corporate users had taken to rolling their eyes at the suggestion that antivirus vendors had all the answers.

Why would users of antivirus software feel less than confident in the response capability of the software’s vendors? It has a lot to do with the industry’s history of failed promises, vaporware, and system conflicts caused by antivirus software.

Catches all viruses, known and unknown
Since the first marketing efforts were made to promote the sale of antivirus software, the exaggerations and exorbitant claims have been an embarrassment for those trying to do a serious job of providing risk reduction. Time after time, many vendors have made claims that their products would resolve all the ills of the virus world—and then failed to do so.

In recent weeks, Network Associates and Symantec, the two heavyweights of the antivirus industry, have announced the latest information on their products that will “automagically” update each workstation and server with the latest antivirus definitions with no human intervention needed. The promotional discourse makes it all sound wonderful, but what is the reality?

Both Network Associates’ Rumor and Symantec’s Digital Immune System are based on the notion that the key to responding to new viruses is to ensure that the latest definition files are delivered to users as quickly as possible, thus allowing them to detect and block fast-breaking viruses.

The new way to treat a virus
Rumor takes advantage of the spare distributed computing power available in a network. When the first user logs on to the corporate network each day, Rumor automatically contacts the Network Associates Web site to check for new updates and then authenticates and downloads the update provided. As other workstations log on to the network, they poll the other workstations looking for a new update and grab it from the first station they find.

This approach is somewhat in contrast to the Symantec Digital Immune System, which relies on a more centralized distribution model. But the fact remains that both approaches are still looking at a pre-Internet problem and applying an Internet-based solution. In the past, viruses spread so slowly that it was common for organizations to update their antivirus software only every couple of months. As the Internet expanded its reach and viruses spread faster, updates were installed every month. When viruses became Net-aware, antivirus developers responded with more frequent updates—daily and sometimes even hourly.

Developers can’t keep up
The fundamental problem is that viruses can spread faster than the cures for them, no matter how fast those cures are provided by antivirus developers. The problem has to do with both the conservative nature of organizations and the underlying technology used to protect against viruses.

Russell Cluett, IT Security & Virus Response Team Lead at EDS Canada, summed it up best when he said, "Our business includes providing our clients with highly stable and available resources. If we don't perform sufficient testing on new code, it could affect new and existing applications with a negative impact on day-to-day operations. We will always measure the risk of malicious code against the risk of problems from insufficiently tested antivirus updates. For this reason, we will approach with great caution any auto-update system which does not permit us to properly test for issues."

At least it reboots faster…
When the Pentium processor was first launched, one of the jokes about why you should buy one was that when Windows inevitably crashed, the machine would reboot faster. In other words, you wouldn’t resolve the problem, but you’d treat a symptom. Faster updates from antivirus developers do not solve the underlying problem—most antivirus software is still reactive. Defenses against viruses are based on finding them by using scanning technology. However, the faster you deploy antivirus updates, the more potential you create for havoc within the network.

Havoc was just one of the terms used to describe the scenario at some organizations that deployed updates for Network Associates’ VirusScan in October. Lacking any built-in version error-checking and control, the updates caused massive conflicts with an older version of the scanning engine, effectively rendering machines running that scanning engine useless. By the time the problem was identified, many organizations had spent countless hours removing the antivirus software to get the machines operational again.

If this were just an isolated case of software error, it would be forgivable. But as similar update-related problems have happened before to a number of antivirus developers, it becomes harder to accept. Symantec had major issues with detection failures (both false alarms and missed viruses) whenever you mismatched the update and the engine several years ago. And just this summer, a programming error in a Norton AntiVirus update caused ScanDisk to create a large number of 0-byte files in a temporary folder in the root of the C drive. These files could not be deleted in Windows or from a DOS prompt, and the machine would not operate until they were removed. Symantec had to develop a special tool to fix the problem.

Test your updates before deploying
Most major organizations test all antivirus updates for several days to minimize the chance of bringing their network down due to some programming bug. Even if the automated update deployment tools provided for an easy way to roll back a problematic update, it is still a very expensive proposition. Many organizations will look at the automated update systems and respond the same way they did in Orlando, FL—Thanks, but no thanks.
If you'd like to share your opinion, start a discussion below or send the editor an e-mail.

Editor's Picks

Free Newsletters, In your Inbox