[Dshield] AntiVirus Pattern Release Stats

Henry Hertz Hobbit hhhobbit at comcast.net
Thu Mar 3 23:26:38 GMT 2005


On Thu, 2005-03-03 at 09:44, Holmes, Alan wrote:
> Is anyone aware of a website or other resource that tracks
> and has reports on the timeliness with which antivirus
> companies make virus definitions available?

I just read this the other day from the PC Magazine Security
list.  I am trying to remember the site.  Start with these:

http://www.av-test.org/
http://list.virus.org/
http://list.virus.org/Top_List.html

> The reason I ask is I am very frustrated with our current
> antivirus vendor as they are ROUTINELY at the bottom of the
> list for pattern releases of the vendors that I check when a
> new threat is detected.

I think mine and other people's advice has been succinct and to the
point.  We all advise AGAINST A ONE VENDOR solution.  Use one vendor at
the edge firewall, another vendor at the mail server (Outlook Exchange
if that is what you want to use), and yet another vendor at the
desktop.  Why are we so audacious to give this advice?  Because as much
as you would like to say this or that about any particular AV vendor,
their research methods vary.  Here is one for you to look at:

http://www.pcmag.com/article2/0,1759,1745668,00.asp
(if you subscribe to PCMag's security newsletter you will get this list
every week or something like that, and usually who was first will be
given).

Normally, Norman doesn't head the chart.  ClamAV (it is free and will
run on Linux mail servers or firewalls) does much better than I would
suspect.  Over the long haul, Kaspersky, Symantec, McAfee, Sophos, and
others (I really am NOT picking these out of the air, and you cannot
discuss this intelligently without including Trend Micro, Panda,
F-Secure and the others) are right in the hunt for first place, but on
any given day the top leaders (averaged out over a month, three months,
six months, or a year) can FAIL DISMALLY!  Further, on any given day one
of the little guys can trump the others.  Further, Beta Definitions may
save your keester!  In all respects, a multi-vendor approach is the
best, since one may fail, and the others will catch it.

Having said that, I would look seriously that at least one of the top
Beta Definition Detection Vendors be included in the mix of the three
(or two if your edge firewall is also the main outgoing mail server). 
If you are a truly big site, I would use yet a fourth AV vendor on all
your secondary mail servers.

I would like to say that I am not going to say this again, but I know I
and others will.  The best defense against viruses is a multi vendor
solution.  It truly is like playing the stock market - DIVERSIFY.  All
AV vendors will fight against you doing this.  They want to install a
completely integrated solution.  I am warning you in advance.

> For example, the other day when the new Bagel/Beagle/ToSoo variant
> broke, I saw some vendors had detection available at 10:30PM my
> time on Sunday while the vendor we use didn't have detection
> available until almost 11:00AM the following day after several of
> our users had already received it in their email.  This, of course,
> created a lot of headaches and extra work.

See the previous statements.  I have studied this very issue extensively
from Linux where we have a grand total of less than a dozen or so virii.
I have yet to see any of them for eight years.  For that matter, the
only way I can get a virus through Comcast is to bzip2 it.  If you are
stupid enough to read your email as root (thinking of versions of Linux
like Lindows), there would be a lot more Linux nasties.  I do NOT read
email as root.  Neither do most Linux users.  Linux has a strongly
protective file system (it's file system is its DACL) that makes the
propagation of viruses very difficult.  ClamAV isn't primarily
protecting Linux - it is protecting Windows machines, and normally from
Linux.

> I'm looking to use this type of data as a justification for ditching
> our current vendor.
> 
> Thanks for any input anyone can offer.

Dump away, but I would like a PRIVATE reply (not to the newsgroup)
on the AV vendor you are dumping.  The reason I say this is that very
few AV vendors raise my hackles.  The only one that does is Symantec,
but NOT because they don't do a good job of detecting virii (they do an
excellent job).  They are also a very good neighbor in a lot of ways,
with removal tools and TONS of information.  I don't like them because
if things get out of whack you have to reinstall, and they leave crap
all over in the registry that needs to be cleaned out before you install
again.  This also holds if you are replacing NAV with another AV
vendor's product OR if you are just reinstalling.  Putting them on the
firewall or mailserver is okay but unless you want to map out ALL of the
registry entries and put them in a *.reg file to remove (actually, maybe
somebody has done it and I haven't seen it) I don't like them on the
desktop (they also slow the machine down CONSIDERABLY).   With mine and
others complaints on this, I think Symantec may even have done this by
now.  Part of the reason they don't do it is to prevent their program
from being disabled.  They, McAfee, and the other top AV vendors have
bulls eyes on their products for the nasty vendors to try and disable
them.

You could move to Linux and kiss the AV problem goodbye (and inherit yet
another set of problems, not the least of which is learning a completely
new language).


HHH
-- 
Key Name:  "Henry Hertz Hobbit"
Key fingerprint = 924E BE61 1ACF B87A DCA9 009E E74C 183D 0164 F7D5




More information about the list mailing list