Instability and Modern Anti-Virus Software
Opinion: Remember when they used to test anti-virus updates? There's no time for that anymore, so you have to cross your fingers every hour when the new signatures download.I can remember back when anti-virus companies used to test their updates before they sent them out to customers. But then again, I can remember the Johnson administration (Lyndon, not Andrew), so I'm relatively (ahem!) experienced. Anyway, times have changed. The anti-virus business has moved to the Netscape business model of shipping products and letting the customers do the testing. I hear and see more cases lately of things going wrong with those frequent and untested updates.
The most recent infamous example involved Kaspersky Anti-Virus, an overall great product which I run on the system on which I'm typing this column. But, as discussed at length in this thread on the Funsec security list, a recent update to KAV caused it to detect Windows Explorer (explorer.exe), the program which runs the Windows shell and file management programs, as hostile, specifically as infected with a low-risk virus, Huhk-C. Oops.
A patch went out earlier this week for the SymProtect module, the part of the program that protects it against being attacked by the bad guys. The patch was defective, so defective it didn't even completely install.The system was basically usable, unless you tried to surf the Web, in which case it locked up. Until Symantec fixed the update, which took several hours, if you rebooted the system it would attempt again to download and install it, and fail. The Pushdo Trojan downloader has a distribution system fitted with complex tracking mechanisms and hiding techniques. Click here to read an analysis of it. It's hard to get mad at the anti-virus industry. What choice does it have? If it were to test signatures thoroughly before releasing them the industry would be so far behind the threat landscape that its products would become useless. It's true that the more frequent the updates the more effective the products will be, all other things held constant, which of course they aren't. In the Funsec thread above you'll see remarks from people who know what they're talking about with respect to the anti-virus business and testing. Dr. Solomon, author of what was once a famous and highly regarded anti-virus program (he eventually sold off to McAfee) has been making the point for years that testing is necessary, but makes timeliness impossible: I don't see how it's possible to do daily updates, let alone hourly. Even weekly updates sounds too difficult. Kaspersky releases updates very frequently, sometimes every hour. In fact, to see how often it detects and update threats, see the Kaspersky Lab Virus Watch site.