Staging Virus Definition Updates

In the wake of McAfee’s false positive that rendered Windows XP computers unbootable there has been a lot of talk. What I wanted to talk about today was the staging of virus definition updates. I saw a lot of comments that companies took the McAfee update and deployed it company-wide without any testing.
I dont know of companies of any size that would roll out any other patches without testing. Or I shouldnt’ say testing as much as rolling it to a small group of users, followed by a bigger group then all. Even if no tests are performed, the computer at least is used after the update an shown that everyday tasks still work.
Yet companies have given in to the virus definition update race and update definitions between 365 and 5000 times a year without any testing at all.
Depending on your vender, virus definitions come out between 1 and 20 times per day. Do you really want to be the choke point that prevents your company from being as fully protected as they could be? I gave up on that after the time I had to drive back from an awards dinner and run down a hallway yelling “hit update now, hit update now”. (I needed the email gateway antivirus updated)
Perhaps i’m going to feel really stupid when Symantec does the same thing next year. But I still feel our protection is better for having up to date definitions. Perhaps as a middle ground I could apply Rapid Release definitions to my own computer.
More and more antivirus venders are going to the cloud or going to the community to provide intelligence on the validity of a file. As antivirus venders take to the cloud, any staging/testing of virus definitions is only part of the equation. You can’t test the cloud in small groups.


  1. As an IT Pro at an organization that was affected by this catastrophe with McAfee I’m with you on searching for how to implement antivirus better. I’m torn by your calling the definition updates a “patch” but I agree in some sense. Nobody pushes out a patch without testing it on their system but also no software company pushes out patches as frequently. Heck, people got mad with Java’s recent update only being a week after the 6u19 came out (although there was also relief about the zero day attack being mitigated).
    Staging definitions is definitely the way to go but it already seems like McAfee doesn’t do anything for the organization because malware is morphing so quickly it can’t keep up. Delaying definitions isn’t going to help those efforts. Then what parameters do you test? Each operating system, each Service Pack?
    Basically, McAfee’s false positive chose just about the worst file to identify because it disabled the ability to repair them over the network. Certainly learning some lessons from this one. Hopefully my unit’s understaffing showed through to the administration but not to my users.
    P.S. vendors*

  2. I believe I picked up the ‘patch’ lingo from Rob Rosenberger of Vmyths. The antivirus fails to do its job and detect malware so it needs to be patched. I think more and more people are questinging the virus definition update addiction..

  3. It’d be nice if the vendors tested their products before pushing them out the door, although I guess XP SP3 is kind of an obscure configuration…
    It’s a shame behavior-based antivirus never caught on. That, and privsep and good coding practices. I can dream, can’t I?

Comments are closed.