Re: Antivirus vendor conspiracy theories

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 23 Nov 2004 MHawkins () TULLIB COM wrote:

> This makes the burglar alarm, portable generator and snow tire vendors very
> predictable in their product offering and the customer is suitably informed
> as to the various benefits and or limitations that such products provide.

Actually, their customers just don't understand the failure modes of their
systems well enough to complain, and more importantly, the failure events
are far enough apart that most people thing tings are just fine.

> Antivirus vendors have painted themselves into their own conspiracy theoried
> corner by purveying a product that is based on technology that is purely
> reactive and for the last ten years they've use one method of protection
> thereby enabling other attack vectors to be repeatedly successful.

That's not the vendor's faults, it's the market which wouldn't accept the
administrative overhead of "known good only" prevention.  Also, there are
at least two methods of protection- and they're implemented very
differently than they were originally in many products.

> To use your own analogies, there is nothing proactive about locking a door
> after you've been broken into, there is nothing proactive to driving slower
> in the snow after you've already ended up in a ditch, and there's nothing
> proactive about remembering to gas up the generator after the power blinks
> off. Yet, that is what antivirus vendors are selling to the consumer and
> they're marketing spin tells the average joe "install this product and
> protect yourself from dangerous Internet viruses, worms etc" while year

The virus threat is a situation that's more like the flu.  Flu shots may
or may not be good for the strain that gets the most spread.  Out of the
thousands of new viruses released each year, only a very small number get
traction- because AV works well against better than 90% of the threats
it's supposed to work against, and that's a good thing.  Hand-washing is
more effective than flu shots, but look at the panic in the US this year
over shot availability.


> after year major infections spread and the consumer, faced with the
> cognitive dissonance between antivirus vendor marketing spin and the reality
> of a system rebuild, crashes, deleted files etc, wakes up and realizes that
> the antivirus vendors are peddling an awful product that really doesn't
> protect their system at all.

Marketing spin is marketing spin, and should be taken as such.  However,
AV works against almost 100% of existing in-the-wild viruses, and probably
greater than 90% of new viruses, that's not "doesn't protect their systems
at all."  Go into any good-sized company and look at the AV software's
logs, you'll see quarantined files at probably any company of 40 or so
employees or more where Windows desktops are in evidence.  Now, why we're
not going through those logs and enhancing protections to stop those
events as a matter of course...

The market won't accept better mechanisms, just like better
firewalls are disdained in favor of IDS, which is also a reactive
technology.  As an industry, we've failed in getting vendors to go the
"this is now allowed to work" have it blessed first mode, so we're left
with picking up the pieces reactively.

As poor as ActiveX is implementation-wise (it's difficult to imagine a
worse implementation,) the "this code must be signed by a trusted party
before it is executed" idea is a good one, but the market won't accept an
implementation that requires the bar to be high enough that the model
would actually work.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards