Thursday, June 14, 2007

when misunderstanding hurts you

today's post by tyler reguly about a revelation he found in f-secure's marketing message caught my eye because i think it exhibits some misunderstandings that i suspect are probably not unique to him so i'm going to try and clear up some of the confusion...

the statement that triggered all of this was that f-secure ships out around 6 updates per day... in tyler's words:
When you are pushing out that many updates it tells me one of two things. i) You are “sweatin’ the small stuff” or ii) You have a bad QA process and need to push out fixes.
he goes on to investigate whether there is enough malware to justify that many updates and finds that no-one is producing write-ups of new threats at anywhere near that rate...

the key misunderstanding here is what exactly those threat write-ups represent... they are not the only pieces of malware that the respective av companies encounter, far from it, they are just the ones that have distinguished themselves enough from the background noise of hundreds of pieces of malware being processed per day to warrant a write-up... nobody maintains a repository of malware write-ups equal in quantity to the amount of malware their product detects, that's just too much work for too little return, so they pick out the ones that are significant in some way such as ones that do something genuinely new, or ones that have in hindsight proven to be a slightly more significant threat than the vast majority...

notice the word hindsight... it is, unfortunately, not possible to predict which pieces of malware will make it big and which won't so it's not possible to use that as a criteria for issuing an update... technically sophisticated viruses have gone nowhere while barely functioning frankenstein creations have run amok... as such, all the anti-virus companies can do is try to minimize (within reason) the window of opportunity that a potentially significant threat will have... in fact, sometimes the failure to become a significant threat (certainly a desirable outcome) hinges on the rapid and widespread deployment of detection capabilities for it...

f-secure accomplishes this with around 6 updates per day... some companies ship updates hourly (and have been doing so for years now)... these aren't fixes (at least not generally), it's not a QA problem, there genuinely are sufficiently many pieces of malware being processed each day to warrant this update frequency... does that mean they're sweating the small stuff? maybe so but it's only because there's no way to know what's going to become big...

5 comments:

treguly said...

As I said in my comment to your comment on my blog (gee... that's a mouthful)...

The AV industry provides no proof that they aren't sweatin' the small stuff and fixing mistakes. If it's 1000s of viruses that affect one small subset of individuals, I could care less...

Let's look at it this way... If people can wait weeks, or even months to receive a patch for IE and there aren't enough people affected to complain that the patches should come out immediately (Yes I know there are groups pushing for this... but from a business standpoint this doesn't make sense)... Then people aren't going to complain about a little virus... Daily Updates or even weekly updates would be more than sufficient.

kurt wismer said...

and as i said in my blog post, it's not possible to know ahead of time what's going to be big and what's going to stay small...

you don't want to wait until after it gets big to get detection for it, you want detection before it ever gets a foothold so as to help prevent it from ever getting a foothold...

and, not to put too fine a point on it, but comparing vulnerability response to threat agent response is a little wrong headed... if there was actual malware exploiting the hypothetical IE vulnerability in question the patch for that vulnerability would get released sooner...

David said...

@treguly:

I take it you've never been on the front lines.

Many individuals and companies RELY on the anti-virus vendors to stop the malware while WAITING for that patch from Microsoft to come out later that month.

Yes, it does seem silly to defend against a malware or virus that targets a German Bank customers, when you are in the U.S.A. but why not? You never know what attack will work against you or your organization. You have to defend against "all" of them, or trust yourself not to fall victim.

I'm a 30 year computer user and have only fallen prey to boot sector viruses in the years gone by, but your logic just doesn't make sense.

It makes as much sense as saying that you only need to lock your house once a week. Why do you lock your door every time you leave the house?

Luke said...

I don't believe there are people so ignorant who think that only malware that receive writeups are the only threats out there.

kurt wismer said...

@luke:
"I don't believe there are people so ignorant who think that only malware that receive writeups are the only threats out there."

hard though it may be to believe, they really exist... it takes all kinds, as the saying goes...