Sunday, December 14, 2008

does av really suck that badly?

while looking through my rss feeds today i saw this comment rich mogull posted about a week ago (don't ask why it took so long to reach my reader, i don't know)...

primarily it's his observation about malware, anti-malware, and the mac platform and community, but he ends the comment much more generally with this:
To be honest, I think desktop AV sucks in general and isn't nearly as effective as everyone would like us to think.

this is probably a common enough sentiment among the more technically savvy crowd... i wouldn't go so far as to say this is part of the anti-av movement, but rather a consequence of the mismatched expectations people have with regards to anti-virus software and the persistent mischaracterization of av as being solely about virus scanners...

i can understand where the opinion is coming from - if you look just at scanners, and more to the point if you look just at what populist media reports about scanners then the image you get is of something that fails a lot... but here's the main problem with this line of thinking (besides the issue of what av is, which i think i covered adequately before) - no preventative measure is an island complete unto itself...

as i mentioned in my post about the blacklist value proposition, the primary benefit of a scanner is to take care of the exceptions that aren't covered by other measures... scanners have never, ever been the sole preventative measure in play, they've always been complementing something else... even when the only technological measure present was a scanner, there were still procedural measures, there was still common sense, there was still (in the distant past at least) the relative disconnected nature of the computing ecosystem, etc... judging a scanner's effectiveness in isolation as though it were supposed to take care of the entire problem all by itself is like judging how well table salt satisfies your appetite...

the problem is that people think the scanner is supposed to take care of the threat all by itself, and they think that because av marketing departments have been feeding them that line of rubbish for something like two decades now and they aren't really taking many steps to correct the imbalance in the image they're creating and the mismatched expectations they're giving the public... this is why i often frown on marketing, why i've accused those who overuse the concept of protection as snake-oil peddlars, and why i cringe when someone calls a set of security tools a solution...

the problem isn't the technology, the problem is what people understand (or fail to understand) about the technology, and by extension the thing that causes the misunderstanding... as mark linton points out, there is a definite false sense of security being fostered here, and as cd-man suggests in pointing to that same post, that false sense of security is causing harm - possibly even more harm than a scanner can make up for... av companies need to wake up and realize that by allowing their own marketing departments to subtly lie to the public they're going to be shooting themselves in the foot in the long run... by operating in bad faith they are increasingly losing the faith of consumers - and not only will that accelerate when the idea that av sucks makes it into mainstream public consciousness, but it is also very hard to win back once lost...

but back to rich's opinion - i don't think he's entirely wrong, av isn't nearly as good as it's often made out to be, but rich and probably a lot of other people out there are being so profoundly affected by the reality-distortion field put up by av marketing that when they finally start to see a glimmer of reality through a thin spot in the fog bank they see a stark contrast between it and the marketing message and start rejecting everything in the marketing message, even though the best lies are those that are hidden among truths, and come to equally imbalanced conclusions... the opinion is one that smacks of not seeing the whole picture... as i keep saying, what most people call av (the scanner) should be part of a larger whole, not abstracted out on it's own.. further, it's not everyone who wants you to believe av is so good, it's really just marketing (stop listening to marketing; seriously don't even bother rejecting what they're saying, just don't let them affect your thinking at all) and the corporate big-wigs who care more about market share than they do about actually contributing to their customers security and well being (ahem john thompson ahem)... there are plenty of honest, ethical, technical people in the anti-malware industry trying to spread a more balanced message, but they may not be as easy to find as the pitch on the outside of the product's packaging...

0 comments: