Monthly Archives: August 2006

Virus Creation in The Lab

The US magazine Consumer Reports (similar to Which? magazine in the UK) has been in the technology news recently. As part of a comprehensive test of antivirus software packages, they commissioned a consulting company to create 5,500 new viruses to see how well market leading programs would cope.

The antivirus industry, led by McAfee, was immediately up in arms when they heard about it. Imagine the risk to society of these viruses escaping into the wild! What blatant disregard for consumer safety! And other similar scaremongering…

It only takes a little scratching below the surface to show that their concerns are, at best, misguided. The viruses created for Consumer Reports were simple modifications of existing viruses, altered so that their signature was no longer identifiable. The viruses were kept in a secure environment, and all copies were removed after testing – only a single CD remains, which is kept in a locked and secure cabinet on site.

Surprise, surprise – McAffee’s package didn’t do particularly well in the test; it relies heavily on a signature database to identify new threats. When viruses were still something of a novelty, this approach worked well – it often took weeks before a new virus gained notoriety, giving McAffee plenty of time to respond.

By now however, it is so easy for would-be virus writers to develop new viruses, and variants on existing viruses, that a pure signature-based approach is no longer sufficient. A more pro-active approach is needed, that can identify virus-like behaviour and quarantine or block the affected program. Of course, there will be legitimate tools which end up looking like a virus – commercial tools can be recognised and permitted explicitly, while a mechanism can be included to allow users to grant access to other programs on an as-needed basis.

Maybe the industry should use two distinct terms – “Virus removal”, for packages that can remove existing viruses which are already known to the program, and “Antivirus” for packages that can detect new virus strains and prevent infection in the first place. (Somehow, though, I can’t imagine vendors thinking this is a good idea.)

Whenever Which? reviews product categories that I know well, I find myself disagreeing with their conclusions; this doesn’t give me much confidence in their reviews of other products that I’m not familiar with. People I trust have made similar comments about Consumer Reports. In this case, however, they’re on the side of right. More power to them…

(In case you’re wondering, the top rated antivirus packages were from BitDefender and ZoneLabs. The full report is only available to subscribers.)