Tuesday, February 20, 2007

security catalyst's first q&a podcast

now i want to start of by saying that i don't often listen to podcasts, i don't multi-task all that well and need to just sit there and listen to a podcast in order to really absorb the content so they're really not very helpful to me per se... there are also usability issues with podcasts - you can't quickly scan through a podcast to save yourself time, you can't easily stop it and go back hours later without starting over (in part because you can't scan over the part you've already heard to reacquaint yourself with the context), and you can't easily quote/refer to/respond to a podcast...

that said, the security catalyst's first security podcast q&a caught my eye because the supporting summary information (which is a great thing to include with podcasts, by the way, and i wish more people did that) indicated that there was anti-virus material being covered and so it would probably be of interest to me... i also noticed some odd inclusions and omissions in the recommended links, but i'll get into that later...

the first thing that struck me about the anti-virus portion of the podcast (which starts about 25 minutes in, by the way) was that michael santarcanjelo and adam dodge got the overall answer right - as far as detection rates, heuristics, etc. go there really isn't a lot of differentiation between the major anti-virus players out there so using any of them should be fine... when i've brought this concept up it's generally been in response to the old what's the best anti-virus question and my response is that the detection rates of most of the mainstream products are so close to each other that their relative rankings can easily change from one month to the next... trying to decide on an anti-virus on that basis is pointless, you need to look at other broad factors like usability and quality of support - basically, you have to find the one that fits your particular circumstances best... for the consumer this is pretty easy as there are free trials available for many of the products...

the second thing that struck me was that they got the overall message so right while getting many of the underlying details so wrong...
  1. they say that you want a product that has both real-time and on-access scanning -- real-time and on-access scanning are synonymous, the only real-time scanning any product does is the scanning it does when something is accessed (on-access)... perhaps they meant on-demand and on-access scanning as those are definitely both things you want...
  2. they say heuristics look at how programs behave -- heuristics look for familiar/suspicious routines, not bad behaviour... behaviour blockers look for bad behaviour...
  3. they say almost all major players have heuristics -- show me one that doesn't have heuristics and i'll show you one that isn't really a major player...
  4. they say you should look for instant messaging protection because you can share potentially hazardous files over IM -- this is completely redundant, however, since as soon as you try to do anything with the file you just downloaded your on-access scanner will scan it...
  5. they say you should look for webmail protection presumably to protect you from email borne malware you receive in your webmail -- this is redundant as well since, once again, since once you download the malware to your local machine and try to execute it (even if you don't know what you were doing was going to execute it) your on-access scanner will scan it before it executes... perhaps they mean more general web protection to block drive-by-downloads and various other browser exploits that can sometimes launch malware outside the scope of your on-access scanner...
  6. they say you should look for conventional email protection if you're instead using email clients like outlook or thunderbird in order to prevent things like melissa or lovebug -- once again this is redundant, on-access scanners catch these when you try to access them... if you're a corporation or some other organization and running an email server then you may want to look into email scanning at the gateway (not to mention content filtering that blocks a variety of attachment types) however...
  7. they say email protection is just as important as system protection -- well this is sort of right but for the wrong reasons; email protection is part of system protection... email is just one of many ways into the system...
  8. they suggest looking at places like pcmag or cnet for reviews -- the reviews done by such non-expert organizations are notoriously bad (even consumer reports can't seem to do an adequate job of testing anti-virus products)... don't get me wrong, i'm sure they're adequately skilled to perform comparisons of extra (gee-whiz) features, but if you find such a review trying to compare detection rates then run away (unless they outsourced the review to a respected independent testing organization, but in that case why don't not get the review straight from the horse's mouth?)...
  9. they suggesting looking at the ICSA anti-virus certifications -- i honestly have not seen much good said about ICSA's certifications but i have seen some not-so-good things said... long story short the certifications are paid for by the vendors (ie. they're bought), the criteria aren't as strict as some others, and the vendors get do-overs...
  10. they omit av-comparatives.org and virus bulletin which are much more widely recognized and respected in the anti-virus community...
  11. they say that companies won't send you viruses because (essentially) they're worried you'll something dumb with them -- in actuality the bigger concern is that you'll do something irresponsible or even malicious with them.. they have no way to know you won't so they err on the side of caution...
despite all this, i'm still happy with the message that was sent... i just wish it hadn't been followed by material that made me go no, no, no, no...

1 comments:

Anonymous said...

These comments have been invaluable to me as is this whole site. I thank you for your comment.