|
Imagine that your office
building was on fire, and you called the fire department,
only to be told, "Please wait there while we invent a new
method to fight the kind of fire you have."
You'd be furious! You'd expect the firefighters to rush to
your building immediately, ready to fight whatever kind of
fire they found.
Unfortunately, anti-virus services are forced into a
scenario that no firefighter would accept: "We have to
invent new defenses every day." Anti-virus software can
predict and prevent some never-before-seen viruses. But
all too often, a new virus can spread unchecked while
software vendors develop and distribute a new "signature"
file that can match the virus and kill it. |
|
The Time Lag Between Discovery and
Disinfection
Just how long is the period between a new virus getting "into
the wild" and an effective antidote getting into your
company's anti-virus arsenal?
To answer that question, I turned to
AV-Test.org, a group of researchers which
has studied anti-virus technology for years.
AV-Test is not as well-known in the United States as it should
be, possibly because the group is located in Germany at the
Otto von Guericke University Magdeburg. Many of the
organization's articles have been published in German computer
magazines that have no English editions — but I hope that'll
change.
I interviewed by telephone Andreas Marx, manager of AV-Test,
to get his view of anti-virus response times. He provided me
with test results showing how long it took 23 major anti-virus
programs worldwide to come up with new signature files during
the past several weeks.
"I hope this will decrease the time it takes updates to get
released," Marx told me, explaining why he feels sharing the
information is important.
Finding — and Fighting — New Virus
Threats
The new signature files involved in this horse race
were developed to fight four novel viruses that weren't being
caught by the preventive or "heuristic" techniques of most
anti-virus programs. These four new viruses are known as
Dumaru.Y, MyDoom.A, Bagle.A and Bagle.B.
AV-Test uses special scripts to check the servers at
anti-virus companies every five minutes, looking for new
signature files. It then calculates the time between each
virus being first spotted somewhere in the world by the
MessageLabs consulting group and the time when each anti-virus
service has a working fix available to the public (not
counting beta versions available only to testers).
According to the organization's data, these are the average
lag times, in hours and minutes, for each program during the
test period:
H:M Anti-Virus Program
|
Time |
Anti-Virus Program |
Time |
Anti-Virus Program |
| 06:51 |
Kaspersky |
08:21 |
Bitdefender |
| 08:45 |
Virusbuster |
09:08 |
F-Secure |
| 09:16 |
F-Prot |
09:16 |
RAV |
| 09:24 |
AntiVir |
10:31 |
Quickheal |
| 10:52 |
InoculateIT-CA |
11:30 |
Ikarus |
| 12:00 |
AVG |
12:17 |
Avast |
| 12:22 |
Sophos |
12:31 |
Dr. Web |
| 13:10 |
Norman |
13:06 |
Trend Micro |
| 13:59 |
Command |
14:04 |
Panda |
| 17:16 |
Esafe |
24:12 |
A2 |
| 26:11 |
McAfee |
27:10 |
Symantec |
| 29:45 |
InoculateIT-VET |
|
|
The averages vary from about 7 hours per virus to more than
one full day (almost 30 hours).
It's important to note two things about the figures in the
table above:
-
Some of the programs were able to detect some of the viruses
in the testing period heuristically — without needing an
update. Ikarus, Quickheal, and Virusbuster were able to do
this with the Dumaru.Y virus, whereas Norman and RAV were able
to do it with Bagle.B. In those cases, the anti-virus program
was assigned a response time of zero for that one virus. This
reduced those vendors' average response times.
-
On the other hand, A2 had not posted a signature for the
Bagle.B virus within three days, when the test period ended.
This program, therefore, was assigned a response time of 35
hours in this instance. If this virus had not been considered
in the statistics, A2's average response time would have been
reduced to 15:26 rather than 24:12.
Distributing the Fix Is As Important
As Developing It
Aside from the immediate problem of developing signature files
that can detect new viruses, there's another element to a good
anti-virus service. The new signatures must be distributed to
corporate and individual customers across the Internet, using
the infrastructure the provider has built.
In a PDF white paper released in February and entitled "Outbreak
Response Times," AV-Test shows that the
frequency with which anti-virus companies update their
software online varies widely. Although new signatures are
sometimes posted very quickly in special cases, many major
anti-virus services schedule regular online updates only once
or twice a week, AV-Test says. Other providers, such as
F-Secure, schedule updates seven times a
week, while
Kaspersky Labs schedules them 20 times a
week, according to AV-Test's figures.
Updating Anti-Virus Signatures Around
the Clock
Actually, says Antony Holdsworth, technical consultant for
Kaspersky Labs' United Kingdom office, his company recently
started posting a new signature file on its servers every
three hours.
"We're seeing about 300 new viruses a week," Holdsworth
explains. "There are always new anti-virus signatures to
post," even with updates scheduled eight times a day, he adds.
Kaspersky schedules new signature files the most often — and
earned the fastest average response times in AV-Test's
real-time trials, shown above — because the company has a
large number of people around the world analyzing viruses and
developing cures, Holdsworth says.
Conclusion
Your company may not feel it has a virus problem. Some
corporations think they can prevent viruses by stripping all
attachments out of incoming e-mail. "But people use
workarounds like Hotmail to get attachments," AV-Test's Marx
says.
If you do find yourself coping with new viruses all too often,
the response time of your anti-virus service may be a factor
you'll want to take a good, hard look at.
|
