Friday, November 27, 2009

av vendors are not like drug pushers

one of the erroneous ideas i sometimes come across is that av vendors are a little like drug pushers - that they want to keep you the user addicted or otherwise dependent on signature updates because charging you for regular signature updates is the only way they can make money.

this notion is complete, uninformed bullshit.

the first problem with this idea is the money aspect - if you haven't noticed, the major av vendors come out with a new version of their products (not just new signature updates) every year, not unlike microsoft comes out with a new version of ms office every few years. you have to pay microsoft to upgrade your ms office installation so it shouldn't take a rocket scientist to realize that av vendors make money the same way. they also make money from those who just renew at the end of the year instead of buying the new version because the signature and engine updates cost money to develop.

now you might think that just plays into a more fundamental issue, that they're purposefully adhering to a technology that requires updates/upgrades so that you need to pay each year but that's also nonsense. both the threat landscape and the operating environment itself are constantly changing, there's no protective technology that won't require updating to accommodate that fact. furthermore, there are always improvements that can be made to the way a security product (any security product) does it's job - the only way to get those improvements out to people is in the form of updates/upgrades, and the only way to pay for the research and development behind those improvements is to charge somebody money and it's only fair that the people they charge for the improvements are the people who benefit from those improvements.

still think they're intentionally dragging their feet with regards to non-signature-based technologies for some reason? fine, lets look at our old friend thunderbyte anti-virus. thunderbyte was an anti-virus suite back in the early 90's before av suites were even heard of. it had the signature based scanner, sure, but it also had the most transparent heuristic engine (by which i mean it told you what properties a file had that made it suspicious) i'd ever seen (then or since), it had rudimentary application whitelisting, it had behaviour blocking, it had integrity-based generic detection and cleaning. thunderbyte even marketed av hardware. the folks at thunderbyte were pioneers who in a very real sense built a better mouse trap and believe it or not the world did not beat a path to their door. the product was ultimately a failure in the market (their technology was bought by norman data defense which, with all due respect to the folks at norman, is a much more obscure company), not because it wasn't a superior product (it was), nor because it was too much of a niche product (it was readily available in computer stores where i live despite coming from a different continent and i imagine it was available in stores elsewhere as well), but because the market wasn't ready for it. just because you build it doesn't mean they will come - it might work like that in the movies but not in real life. it would be unreasonable to expect other vendors to waste their money developing technology that the market wasn't already clamouring for - the reason vendors have been slow to develop these alternative technologies is because the market for those technologies has been slow to develop. there weren't enough customers demanding the technology for it's development to make good business sense.


David Harley said...

Agree. The real failure of the AV companies is that they've continued to try to meet unrealistic expectations of what they can do and perceptions of what they actually do, following rather than communicating.