Ask just about anyone who manages a network and they'll tell you that keeping your antivirus software up-to-date is one of the most important daily activities on their network. However, studies and risk analysis have shown that updating antivirus signature files on a daily basis offers no more protection against new viruses than updating on a weekly basis. A Webcast presented by TruSecure on Myth vs. Reality points out that too much time and effort is spent on daily AV updates when the benefits are statistically zero.
True, the threat from viruses is increasing at an alarming rate. E-mail has become the virus-spreading medium of choice for malicious programmers bent on wreaking havoc on the world. More viruses are detected now in three days than were detected during the entire year of 1999. It is also true that a virus infection can cause significant damage to an organization. Lost productivity, downtime, repair costs, etc. can quickly add up when a serious virus infection occurs. All systems, from personal home computers to corporate world-wide enterprise networks, are vulnerable to virus infections. In fact, that vulnerability is quite high, especially for new viruses.
Virus infection vulnerability is a function of how likely an AV product will detect and block the infection of a system. For known viruses, AV products have a good track record. But nearly 3% of known viruses reaching a system make it by AV products undetected. That is 3% of viruses included in a product's signature database still intrude onto a system, bypassing the AV guard designed to restrict its entry. In addition to the missed known viruses, no AV product currently available can prevent infection from new viruses. If a signature is not known, the AV product can't detect and stop the virus.
Over the last few years, several fast-spreading viruses have caught the IT community off guard. Melissa, Love Letter, AnnaKournikova, Magstr and Mawanella infected 20% of its total victims before a detection signature was available. They infected 70% of their total victims within the first 24 hours of their release/discovery. Statistically, the difference between updating AV signatures daily as compared to weekly offers only marginal improvement in virus infection prevention.
Relying on AV products alone is no longer an adequate solution and cannot be considered due diligence. Additional measures must be taken to reduce risk to both the 3% of missed viruses, as well as new viruses. These measures include:
- The use of file-attachment filtering on e-mail gateways -- block/strip any attachment not sent using a designated extension, archive method, encryption, or CRC check.
- Deployment of an e-mail policy that allows only business/organizational related/specific e-mail.
- Training users in handling unknown or unexpected attachments.
- Considering stripping all attachments on all e-mail at the e-mail gateway. Force file exchange through FTP or a secured file transfer process.
- Preventing the downloading or physical import (floppies, CDs, etc.) of untested software.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
"I am still amazed at how much discussion there is about the frequency in which one should update virus definition files. Companies such as Symantec only update there downloadable file about once a week anyway. So why people do this daily is beyond understanding. Your recent article, "Exposing the myth of antivirus," seems to report on an issue I consider moot. If you are a company of any size (five plus computers) a corporate solution is needed.
"We employ Symantec's Norton Anti-Virus Corporate Addition which comes with a central management tool. We automatically download virus definitions every morning (new or not) and those definitions are automatically uploaded to each managed machine on the network. I haven't spent one second on this since we deployed this product six months ago. In fact, I can remember one of our machines being infected with a virus several months ago. I closed our outside connectivity until appropriate virus definitions were available. Once available, this solution allowed me to isolate the virus and kill it with minimal work. What would have taken days of weeding out and repairing systems one by one took me about two hours. We saved 10 times the cost of the software in saved productivity with one incident.
"It is well known that standard antivirus detection methods are only good for those viruses that are known, but considering we get hit about two dozen times a day with known viruses, it is well worth it. Again, this issue should be moot. If everyone just used the auto update features of their antivirus solution (all corporate and individual solutions have this feature if they are worth anything) I don't see how this could take up more than two minutes a month to monitor it."
What do you think? Share your thoughts on this reader's comments and our tip in our Letters to the Editors discussion forum.
This was first published in July 2002