Antivirus: February 2005 Archives

AVComparative's regularly scheduled antivirus scanner testing results is available.

http://www.av-comparatives.org/seiten/ergebnisse_2004_02.php

What does it really mean? I dont know. Does it matter that one scanner can scan a bunch of zoo viruses (viruses not in the wild) but another scanner misses it? I dont think so.

After looking at the scan results, I had a bunch of questions about their methodology. Fortunately they have written up how they went about this. I found that more interesting than the actual results. Very cool.

Its amazing the amount of companies that are willing to take your money and sell you antivirus software, but when it comes providing virus definition files, that costs them money so they are a little bit more reticent.

Kaspersky is one exception to this. They seem to have update available on an hourly basis. While there is a slightly greater chance of false positive, there is also a greatly reduced chance that a virus will slip through because an update wasn't available for it yet.

When you are a customer of Symantec, you have two methods of updating. Liveupdate into Symantec, and manually downloading the intelligent updater and running it. I dont think too many people are aware of the scripts available to download the intelligent updater. But thats a unsupported solution, so I'm not going to give them any credit for offering it.

Time after time, customers who rely exclusively on Symantec for antivirus protection have been burned. They must rely on antiquated defense mechanisms such as blocking file types at the mail gateway and disabling file associations for pif, vbs , etc on the desktop.

So what does Symantec do to resolve this problem? Do they innovate in antivirus software so their product is not so dependent on virus definitions? No McAfee is leading the way in that area. Do they speed up their release of liveupdate? Well, in a way. Their "Platinum" customers (read those with deep pockets) now have access to LiveUpdatePlus. This uses Live Update servers available only to platinum customers to send intelligent updaters every day.

So now customers can pay a premium to get daily virus defs. But others are left out in the cold to fend for them selves.

It reminds me of a Seinfeld episode where he is at the rental car counter complaining that they can take the reservation, but they cant seem to actually reserve a car for him. Symantec can take are money for antivirus software. But when it comes to virus defs in a timely manner, they cant do it. That would hurt the bottom line. I hate to say it but every time Symantec fails to protect its customers, reporters wrote about a virus that is running wild, and Symantec's stock price goes up. The reporters dont write about the failure to protect.

Symantec is releasing virus defs today (after 8:30pm) with detection for Bloodhound.Exploit.26. This is the UPX Parsing Engine Heap Overflow
vulnerability. Information about this vulnerability is available at:

http://www.sarc.com/avcenter/security/Content/2005.02.08.html

Basically if you are running anything earlier than SAV 9.0.1.1000 corporate edition you probably need to look into upgrading.

Live Communications Servers offer the ability for employees to communicate with one another. Like any communications medium, they are also a way to spread viruses. There are several MSN Messenger specific viruses that effect LCS.

It seems like a good idea to improve employee communication. For people upgrading from Exchange 2000, they get the LCS server for free. They've already got the client access licenses. They're just left with the cost of hardware. So how do you get management to fork over 20k for Antivirus when the rest of the solution is "free"? If its been more than a couple years since the last outbreak, it seems to be more difficult to get security funding. :(

I heard a report from another company that they've been having their employees receive viruses sent through their LCS server. Its not a hypothetical problem anymore. I'm not one of these poeple who think that security comes first, then security, then security, then security, then security, then cost then security then convenience. Security needs to be in balence with cost, convenience and the potential threat. I think in the case of instant messenging the threat is no longer academic. The threat spread itself across several companies this week. Time to consider antivirus part of the cost of a communication system.