Sunday, April 20, 2008

is anti-virus software falling behind?

as readers of my blog are probably aware i have a bit of a penchant for trying to dispel a variety of popular myths... one of the most popular ones i've dealt with is the notion that anti-virus software can't keep up - or as i put it before the myth of overwhelming numbers...

when i look at my previous treatments of this myth, however, i don't see something i could point a complete newbie at and have a reasonable expectation that they'd get it so i'm going to try and make this as simple as possible - there is no publicly available evidence that points conclusively to anti-virus software falling behind...

the only kind of evidence that would conclusively point to av vendors failing to keep up is a growing backlog of undetected malware... some people think the growing numbers of people who get hit with undetected malware while using up-to-date av products or the growing number of malware samples that are undetected at any given time is equivalent to this growing backlog but it isn't...

let's use an analogy to demonstrate this... let's say i have a dog... this dog shits on the ground and then i come along and clean up the shit... someone may (unfortunately) step in the shit before i get to it, but it does get cleaned up and so long as i clean up the same amount of shit my dog produces i'm not falling behind... now let's say i get a second dog - all of a sudden the amount of shit that hits the ground on any given day doubles, the chance of someone stepping in it before it gets cleaned up doubles, but so long as i'm still picking up as much as those two dogs drop i'm still keeping up with them and not falling behind...

this can go on and on with an ever increasing number of dogs and at some point i may eventually reach a point where i have so many dogs that i can't keep up, where they produce more shit in a day than i can clean up in a day and that leftover portion is a backlog which will build up day after day and become a real mess before too long... now, unless you're keeping track both of when the dogs shit and when i clean it up you have no way to determine if the increasing amount of shit currently on the ground getting stepped on represents a backlog or simply an increasing amount of shit being produced by an increasing number of dogs... if i were getting close to that undesirable point where the dogs produce more than i can clean up i would hire help to help me pick up after them (and/or maybe i'd build a robot or various other tools to help speed up the process)... with that help there would be more breathing room (figuratively) and we'd be able to increase the number of dogs and still not fall behind...

this is pretty much the same thing that goes on in av companies - as the amount of crap the malware writers produce increases the companies hire more analysts and develop better automated tools so that they can deal with an increasing amount of malware per day... that doesn't mean that the amount of undetected malware won't grow, it will... preventing that set from growing would require known-malware scanning to be able to detect malware before it was released (ie. before it was known)... known-malware scanning generally can't do that anymore than i can catch dog shit before it hits the ground... so long as they're analyzing as many as the malware writers are producing, though, they aren't falling behind - an increasing amount of undetected malware is not the same as a growing backlog of undetected malware... the growing pile of crap is an unavoidable consequence of the increasing production of crap and has nothing to do with whether or not anyone can keep up...

(yes, i did just compare malware to dog shit)

6 comments:

Anonymous said...

whilst I love the comparison I have an issues with it. It only works if you assume that the purpose of you walking around picking up shit is to clean up aftewards, not to prevent.

AV is sold, at least in part, as "protection" - to prevent bad things happening.

So you should be walking round cleaning up dogshit, AND stopping the dog from shitting. If you aint prevent as much shitting as you were, your falling behind.

If you aren't preventing malware infections as well as you were - your are falling behind - even if it's only by your old standards.

The truth, as I see it, of the matter is AV will always be needed, it's nature will change and at this time most AV vendors are failing (to varying degress) to keep pace with the threat landscape they operate in. Their technical people know this and are working on solutions. Marketing people and afraid and still ranting the same crap because they know there's a whole - they just don't have anything to fill it - so they pretend it doesn't exist. Unfortunately, for them, "the truth will out" and those that get caught out will suffer the consequences.

Thats my 2 pence worth.

I shall now vacate the soap box and allow someone else a turn.

kurt wismer said...

the problem here is that you're trying to extend the analogy beyond it's intended scope... analogies typically fall down when you do that...

when i'm picking up dog shit that's like the malware analysts processing malware samples, it's not supposed to be comparable to anything other than that... the production of shit is being compared with the production of malware - we can't really stop either one... innocent 3rd parties stepping in the shit is then compared to getting infected/infested.... when i pick it up that in turn prevents people from stepping in that particular piece of shit in the future just as malware analysts producing new signatures and getting them out to your scanner prevents you from 'stepping in' (getting infected/infested by) that particular piece of malware in the future...

so in that sense it does prevent...

i don't agree that preventing infections should be the benchmark for judging whether av is falling behind or not... preventing infections part of the practice of av, not the production of av... that means it's in the hands of the users, not the vendors...

users (yourself included apparently) are under the mistaken belief that scanners = av... av vendors produce other anti-malware technologies as well but most people don't understand or use them, and the technology they do use they fairly often misuse... they could get a lot better 'protection' if they made better use of the tools that are available to them...

Anonymous said...

I take it you work for McAfee?

kurt wismer said...

no... as i have repeatedly stated elsewhere on this blog, i do not work in the anti-malware industry... i am simply a member of the anti-malware community...

furthermore, i do not have any allegiance to mcafee... if you read some of my other posts you might notice i accuse them of selling snake-oil due to the name of their product suite (total protection)...

Anonymous said...

I think the problem here is that AV products are not marketed as a "cleanup" tool like you say. They're marketed as an invincible shield through which nothing bad can pass through (i.e. you'll never have dog turds on your lawn). I know that many years ago, before I entered the infosec industry, I thought that AV products had some highly sophisticated behavioral way to determine if a program was doing something "bad", and so would catch any and all malware. Based on AV vendor marketing, I don't think that's an unreasonable assumption for the general population to make.

My experience matches that of others, that lots and lots of new samples are passing right by AV products at the time of receiving them via email, iframe etc. And yes, the techs at AV vendors are working on adapting their products for our current malware situations. But as long as consumers have the wrong idea about what AV does and doesn't do, we'll have a problem.

However "Catches most viruses, except very new ones!" just isn't going to look good on a bright yellow Symantec box.

kurt wismer said...

"I think the problem here is that AV products are not marketed as"

stop... just stop . listening . to marketing....

you know that a whopper doesn't look as juicy in real life as it does on commercials... you know that buxom beauties won't flock to your side when you've got beer, and you know that cars don't actually bounce through the streets... why are you listening to anti-virus marketing when you know better for other types of marketing?

"Based on AV vendor marketing, I don't think that's an unreasonable assumption for the general population to make."

av vendor marketing is full of lies... but then, so is every other type of marketing...

"But as long as consumers have the wrong idea about what AV does and doesn't do, we'll have a problem."

i agree, and in other blog posts here i openly criticize vendors for their deceptive marketing... furthermore, one of the purposes i hoped this site would serve was as source of balanced information to try and correct the misguided notions people have as a result of that deceptive marketing... unfortunately it's more trendy these days to adopt an equally unbalanced but opposing view of av that says people shouldn't bother with av anymore...

"However "Catches most viruses, except very new ones!" just isn't going to look good on a bright yellow Symantec box."

very true, and unfortunately symantec in particular is least likely to change their ways regarding marketing because they're least susceptible to the consequences of shoddy, deceptive marketing...

you're unlikely to ever see av marketing adopt this stance but "if the malware's too new, a scanner won't do"...