Imagine that your office building was on fire, and you called
the fire department, only to be told, "Please wait there
while we invent a new method to fight the kind of fire you have."
You'd be furious! You'd expect the firefighters to rush to your
building immediately, ready to fight whatever kind of fire they found.
Unfortunately, anti-virus services are forced into a scenario that no
firefighter would accept: "We have to invent new defenses every day."
Anti-virus software can predict and prevent some never-before-seen viruses.
But all too often, a new virus can spread unchecked while software vendors
develop and distribute a new "signature" file that can match the virus
and kill it.
The Time Lag Between Discovery and Disinfection
Just how long is the period between a new virus getting "into the wild"
and an effective antidote getting into your company's anti-virus arsenal?
To answer that question, I turned to
AV-Test.org,
a group of researchers which has studied anti-virus technology for years.
AV-Test is not as well-known in the United States as it should be, possibly
because the group is located in Germany at the Otto von Guericke University
Magdeburg. Many of the organization's articles have been published in
German computer magazines that have no English editions — but I hope
that'll change.
I interviewed by telephone Andreas Marx, manager of AV-Test, to get
his view of anti-virus response times. He provided me with test results
showing how long it took 23 major anti-virus programs worldwide
to come up with new signature files during the past several weeks.
"I hope this will decrease the time it takes updates to get released,"
Marx told me, explaining why he feels sharing the information is important.
Finding — and Fighting — New Virus Threats
The new signature files involved in this horse race were developed to fight
four novel viruses that weren't being caught by the preventive
or "heuristic" techniques of most anti-virus programs. These four new
viruses are known as Dumaru.Y, MyDoom.A, Bagle.A and Bagle.B.
AV-Test uses special scripts to check the servers at anti-virus
companies every five minutes, looking for new signature files. It then
calculates the time between each virus being first spotted somewhere in
the world by the MessageLabs consulting group and the time when each anti-virus
service has a working fix available to the public (not counting beta
versions available only to testers).
According to the organization's data,
these are the average lag times, in hours and minutes, for each program
during the test period:
H:M Anti-Virus Program
06:51 Kaspersky
08:21 Bitdefender
08:45 Virusbuster
09:08 F-Secure
09:16 F-Prot
09:16 RAV
09:24 AntiVir
10:31 Quickheal
10:52 InoculateIT-CA
11:30 Ikarus
12:00 AVG
12:17 Avast
12:22 Sophos
12:31 Dr. Web
13:06 Trend Micro
13:10 Norman
13:59 Command
14:04 Panda
17:16 Esafe
24:12 A2
26:11 McAfee
27:10 Symantec
29:45 InoculateIT-VET
The averages vary from about 7 hours per virus to more than one full
day (almost 30 hours).
It's important to note two things about the figures in the table above:
• Some of the programs were able to detect some of the viruses in the
testing period heuristically — without needing an update. Ikarus,
Quickheal, and Virusbuster were able to do this with the Dumaru.Y virus,
whereas Norman and RAV were able to do it with Bagle.B. In those cases, the
anti-virus program was assigned a response time of zero for that one virus.
This reduced those vendors' average response times.
• On the other hand, A2 had not posted a signature for the Bagle.B virus
within three days, when the test period ended. This program, therefore, was
assigned a response time of 35 hours in this instance. If this virus had not
been considered in the statistics, A2's average response time would have been
reduced to 15:26 rather than 24:12.
Distributing the Fix Is As Important As Developing It
Aside from the immediate problem of developing signature files that can
detect new viruses, there's another element to a good anti-virus service.
The new signatures must be distributed to corporate and individual customers
across the Internet, using the infrastructure the provider has built.
In a PDF white paper released in February and entitled
"Outbreak
Response Times," AV-Test shows that the frequency with which
anti-virus companies update their software online varies widely. Although new
signatures are sometimes posted very quickly in special cases, many major
anti-virus services schedule regular online updates only once or twice a week,
AV-Test says. Other providers, such as
F-Secure, schedule updates
seven times a week, while
Kaspersky
Labs schedules them 20 times a week, according to AV-Test's
figures.
Updating Anti-Virus Signatures Around the Clock
Actually, says Antony Holdsworth, technical consultant for Kaspersky Labs'
United Kingdom office, his company recently started posting a new signature
file on its servers every three hours.
"We're seeing about 300 new viruses a week," Holdsworth explains.
"There are always new anti-virus signatures to post," even with updates
scheduled eight times a day, he adds.
Kaspersky schedules new signature files the most often — and earned
the fastest average response times in AV-Test's real-time trials, shown
above — because the company has a large number of people around the
world analyzing viruses and developing cures, Holdsworth says.
Conclusion
Your company may not feel it has a virus problem. Some corporations think they
can prevent viruses by stripping all attachments out of incoming e-mail.
"But people use workarounds like Hotmail to get attachments," AV-Test's
Marx says.
If you do find yourself coping with new viruses all too often,
the response time of your anti-virus service may be a factor you'll
want to take a good, hard look at.
Want to discuss the issues raised in this column? Take it over to our IT Management Forum.
Images
Imagine that your office building was on fire, and you called
the fire department, only to be told, "Please wait there
while we invent a new method to fight the kind of fire you have."
