Re: Kaspersky strikes again

[Drsolly <drsollyp () drsolly com>]

On Mon, 24 Dec 2007 Valdis.Kletnieks () vt edu wrote:

> On Sun, 23 Dec 2007 17:33:21 CST, Thomas Raef said:
> > Is it constant corporate rivalries that forced AV companies to "brag" about releasing updates every hour?
>
> Ya know, a few years back, the vendor that does the A/V part of our front-end
> email boxes took about 6 hours to get us a pattern that matched a fast-burning
> email-based worm.   In those 6 hours, we got pounded by so many copies all
> sending themselves to everybody (which is pretty badly synergistic in a mostly
> closed community like a .EDU with 50K active mailboxes, and almost every single
> one of them has zillions of *other* valid addresses on the same server just
> floating around on the drive waiting to be scraped).  How badly?  The backend
> system folded under the load when the load average got to 1487 or so, and it
> took us several *days* to get a clean restart (it proved to be harder than it
> looked to bring up the back end without the front ends dumping several tens of
> millions of messages onto the server and pounding it back into the Stone Age).
>
> When 6 or 8 hours of delay means you could have a meltdown with literally
> millions of backlogged messages, suddenly "every hour" starts sounding good...
 
Yes. This is why this kind of AV looks to me to be theoretically less
possible than many people hope.

1) You need updates very quickly after a new thing is spread; within one 
hour would be good (see case above).

2) You need to test updates thoroughly before releasing them; this will 
probably take days (or you'll flag explorer.exe as malware, thus crashing 
a load of workstations).

And you can't have both 1) and 2)

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.