Sunday, April 16, 2006

all virus prevention methods fail

i blogged some time ago about how all anti-virus products fail, noting that no anti-virus product can ever have perfect detection and that even if one did part of the reason for the failure is often that the user has been careless and not kept the product up to date or used the product incorrectly or simply exposed themselves to too much risk...

the implication was that through judicious computing practices (often referred to as safe hex) one could drastically reduce the risk of computer virus infection... while this is true, there is a dangerous oversimplification that can be made - safe hex does not (can not) reduce the risk to zero... it's something i tried to touch on before but i'll be more straightforward about it now...

no virus prevention method is 100% effective... no combination of virus prevention methods is 100% effective... they all fail... you can follow safe hex to the letter, you can do all the right things and still get a computer virus... the only sure way to avoid a computer virus is to not have a computer, or if you get one don't turn it on...

this may sound like doom and gloom but it's a reality of security in general - preventing bad things from happening is an ideal we strive for but we can't achieve it all the time, that's just not a realistic expectation... even if we were perfect (which we aren't) and followed the best prevention strategies out there (which we often don't) some of us would still get hit...

what that means is that prevention is only part of how one must address the problem... the other part is planning for your preventative measures to fail - figuring out how to detect when a failure has happened (ideally using some kind of known-clean environment) and how to recover from that failure (everything from removing the offending item to restoring from backups)... any anti-virus (or anti-malware for that matter) strategy is incomplete if it doesn't include these elements...

safe hex, for all it's benefits, does not deal with these things... safe hex is a set of best practices for prevention... detection of preventative failures is a much trickier proposition and recovery is as big (if not bigger) a topic on it's own as safe hex... the oversimplification of 'just follow safe hex and you'll be fine' or 'you got hit so you need to learn safe hex' is dangerous because it gives the impression that there's no need to plan for failure and so people don't... people are lazy, they won't plan for failure if they don't think they need to and the oversimplification makes people believe they don't need to... in this way, sometimes safe hex advice can create a false sense of security and thus can be a kind of snake oil...

safe hex is still a good thing, though... it's just not the whole answer... prevention, detection of preventative failures, and recovery from failure - you need to keep all three in mind when developing your anti-virus strategy...

0 comments: