Instability and Modern Anti-Virus Software

Opinion: Remember when they used to test anti-virus updates? There's no time for that anymore, so you have to cross your fingers every hour when the new signatures download.

I can remember back when anti-virus companies used to test their updates before they sent them out to customers. But then again, I can remember the Johnson administration (Lyndon, not Andrew), so I'm relatively (ahem!) experienced.

Anyway, times have changed. The anti-virus business has moved to the Netscape business model of shipping products and letting the customers do the testing. I hear and see more cases lately of things going wrong with those frequent and untested updates.

The most recent infamous example involved Kaspersky Anti-Virus, an overall great product which I run on the system on which I'm typing this column. But, as discussed at length in this thread on the Funsec security list, a recent update to KAV caused it to detect Windows Explorer (explorer.exe), the program which runs the Windows shell and file management programs, as hostile, specifically as infected with a low-risk virus, Huhk-C. Oops.

My own system suffered no ill effects, so I suppose this was not a universal disaster, but some users clearly were inconvenienced. The report said that only "companies performing their network scan during the hours that the dodgy update was present" were affected. But KAV is popular, so that's going to be more than a few companies.

I had a bad update problem myself with Norton 360 earlier this year. As Symantec itself explained:

A patch went out earlier this week for the SymProtect module, the part of the program that protects it against being attacked by the bad guys. The patch was defective, so defective it didn't even completely install. The system was basically usable, unless you tried to surf the Web, in which case it locked up. Until Symantec fixed the update, which took several hours, if you rebooted the system it would attempt again to download and install it, and fail.

/zimages/1/28571.gifThe Pushdo Trojan downloader has a distribution system fitted with complex tracking mechanisms and hiding techniques. Click here to read an analysis of it.

It's hard to get mad at the anti-virus industry. What choice does it have? If it were to test signatures thoroughly before releasing them the industry would be so far behind the threat landscape that its products would become useless. It's true that the more frequent the updates the more effective the products will be, all other things held constant, which of course they aren't.

In the Funsec thread above you'll see remarks from people who know what they're talking about with respect to the anti-virus business and testing. Dr. Solomon, author of what was once a famous and highly regarded anti-virus program (he eventually sold off to McAfee) has been making the point for years that testing is necessary, but makes timeliness impossible: I don't see how it's possible to do daily updates, let alone hourly. Even weekly updates sounds too difficult.

Kaspersky releases updates very frequently, sometimes every hour. In fact, to see how often it detects and update threats, see the Kaspersky Lab Virus Watch site.


I actually had coffee with Eugene Kaspersky about a year ago and asked him about the testing problem, specifically how they deal with testing when they release updates so frequently. He gave me a politician's answer, which is to say he answered a different question, dodging mine. I didn't press him, instead taking his non-answer as confirmation of my suspicious that they had no answer to the testing problem.

I don't want to pick on Eugene or his company; nobody has an answer to the testing problem. It's all just more evidence of the growing bankruptcy of the signature testing approach. Since heuristic scanners and intrusion prevention systems are far from perfect and subject to false positives in proportion to their effectiveness, that approach isn't the answer either.

The best answer is if users could be trained not to fall for the social engineering tricks that make most modern malware effective. But sadly, people don't seem to be getting smarter fast enough.

The bottom line is that the potential instability of untested updates is part of the landscape of trade-offs in system security these days. Cross your fingers and get on with your work.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/1/28571.gifCheck out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack

More from Larry Seltzer