Symantec on the Importance of updating Virus Defs

John McDonald writes in the Symantec Security Response Weblog regarding the importance of updating virus definitions.

Yes, updating virus definitions frequently is important. Why then does Symantec only supply a liveupdate once per week to people still running version 8 and 9? Why does Symantec only update the Intelligent Update once per day? Why do I have to use XDBDown to be able to check hourly for the latest updates? Why does Symantec discourage the use of the Rapid Release definitions? Why does Symantec often rate poorly when comparing vendors update speed when new viruses come out?

The author reports that, "Among the home users surveyed, just 46.3 percent said their antivirus software is up to date." Is this an indictment of the usability and effectiveness of their antivirus software? Shouldn't the vendor work to make the software stay up to date on its own, not break, self-heal where possible, and lastly inform the user if they need to take action to make it work again.

His defense of virus definitions is kind of weak in my opinion. The author states that with the exception of SQL Slammer, most viruses start out slow, and you are protected if you download the virus definitions before it reaches you. This reminds me of the fire department. They aren't there to prevent you from ever having a fire, they are there to prevent it from destroying your whole neighborhood. Frankly, I 'd rather not have the fire in the first place. In this age of targeted attacks, motivated by money and backed by criminal concerns, I am not willing for my company to be the victim that allows everyone else to stay safe.

I'm rather disappointed with his stance against heuristics. I think it is working rather well for McAfee thus far. In this age of zero day attacks, we aren't going to turn to third party patches, and antivirus can not always protect us. We need to consider adding HIPS to the corporate desktop protection suite.