Instability and Modern Anti-Virus Software

By Larry Seltzer  |  Posted 2007-12-26 Print this article Print

Opinion: Remember when they used to test anti-virus updates? There's no time for that anymore, so you have to cross your fingers every hour when the new signatures download.

I can remember back when anti-virus companies used to test their updates before they sent them out to customers. But then again, I can remember the Johnson administration (Lyndon, not Andrew), so I'm relatively (ahem!) experienced.

Anyway, times have changed. The anti-virus business has moved to the Netscape business model of shipping products and letting the customers do the testing. I hear and see more cases lately of things going wrong with those frequent and untested updates.

The most recent infamous example involved Kaspersky Anti-Virus, an overall great product which I run on the system on which I'm typing this column. But, as discussed at length in this thread on the Funsec security list, a recent update to KAV caused it to detect Windows Explorer (explorer.exe), the program which runs the Windows shell and file management programs, as hostile, specifically as infected with a low-risk virus, Huhk-C. Oops.

My own system suffered no ill effects, so I suppose this was not a universal disaster, but some users clearly were inconvenienced. The report said that only "companies performing their network scan during the hours that the dodgy update was present" were affected. But KAV is popular, so that's going to be more than a few companies.

I had a bad update problem myself with Norton 360 earlier this year. As Symantec itself explained:
A patch went out earlier this week for the SymProtect module, the part of the program that protects it against being attacked by the bad guys. The patch was defective, so defective it didn't even completely install.
The system was basically usable, unless you tried to surf the Web, in which case it locked up. Until Symantec fixed the update, which took several hours, if you rebooted the system it would attempt again to download and install it, and fail.

The Pushdo Trojan downloader has a distribution system fitted with complex tracking mechanisms and hiding techniques. Click here to read an analysis of it.

It's hard to get mad at the anti-virus industry. What choice does it have? If it were to test signatures thoroughly before releasing them the industry would be so far behind the threat landscape that its products would become useless. It's true that the more frequent the updates the more effective the products will be, all other things held constant, which of course they aren't.

In the Funsec thread above you'll see remarks from people who know what they're talking about with respect to the anti-virus business and testing. Dr. Solomon, author of what was once a famous and highly regarded anti-virus program (he eventually sold off to McAfee) has been making the point for years that testing is necessary, but makes timeliness impossible: I don't see how it's possible to do daily updates, let alone hourly. Even weekly updates sounds too difficult.

Kaspersky releases updates very frequently, sometimes every hour. In fact, to see how often it detects and update threats, see the Kaspersky Lab Virus Watch site.

I actually had coffee with Eugene Kaspersky about a year ago and asked him about the testing problem, specifically how they deal with testing when they release updates so frequently. He gave me a politician's answer, which is to say he answered a different question, dodging mine. I didn't press him, instead taking his non-answer as confirmation of my suspicious that they had no answer to the testing problem.

I don't want to pick on Eugene or his company; nobody has an answer to the testing problem. It's all just more evidence of the growing bankruptcy of the signature testing approach. Since heuristic scanners and intrusion prevention systems are far from perfect and subject to false positives in proportion to their effectiveness, that approach isn't the answer either. The best answer is if users could be trained not to fall for the social engineering tricks that make most modern malware effective. But sadly, people don't seem to be getting smarter fast enough.

The bottom line is that the potential instability of untested updates is part of the landscape of trade-offs in system security these days. Cross your fingers and get on with your work.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel