[Dshield] AntiVirus Pattern Release Stats
mj2 at percomp.de
Fri Mar 4 07:22:00 GMT 2005
At 10:44 03.03.2005 -0600, Holmes, Alan wrote:
>Is anyone aware of a website or other resource that tracks and has reports
>on the timeliness with which antivirus companies make virus definitions
>The reason I ask is I am very frustrated with our current antivirus vendor
>as they are ROUTINELY at the bottom of the list for pattern releases of the
>vendors that I check when a new threat is detected.
>For example, the other day when the new Bagel/Beagle/ToSoo variant broke, I
>saw some vendors had detection available at 10:30PM my time on Sunday while
>the vendor we use didn't have detection available until almost 11:00AM the
>following day after several of our users had already received it in their
>email. This, of course, created a lot of headaches and extra work.
>I'm looking to use this type of data as a justification for ditching our
>Thanks for any input anyone can offer.
Have a ook at AV-TEST.ORG http://www.av-test.org/index.php3?lang=en they do
a constant tracking.
This is their presentation on last years Virus Bulletin Conference
This link is in German, but you will be able to understand the tables ;-)
But neither McAfee nor Trend nor NAV produce acceptable figures. NAV and
McAfee have just announced to increase the publically available tested
DB-Updates to several times a week, but in case of an emergency/outbreak
you still have to rely on the BETAs and put on your local DB-Server
manually (certainly with the full risk of BETA beeing used on production!!).
There are two points here to consider (also think "worm" when I use "virus"):
1.) The gateway is the first to stop a virus, but it is also the only
system that will NOT become infected itself. It only store infected mails.
The GW is up 24h and will always have mails in the MailFolders that have
not been scanned with the latest update. Running a scan on the full
MailFolders every time you receive an update is also impossible due to the
amount of data. Too fast, too lazy tested DBs can down your Mailserver.
2.) The workstation is the one to open and execute a virus, so it CAN
become infected itself and start distributing the virus. The WKS is only up
8h a day and many outbreaks are started during the night. By the time the
workstations get started, patterns have already been tested in production
(and maybe revised) and the workstation is well protected. But finally you
still need the user to start the virus.
What does it mean? Receiving mail is NOT mission critical (at least it must
not be, because it is unreliable per se). Accounting, billing and sales are
mission critical to a company and they should have the focus.
Cascading AV-solutions is a popular way, but having the fastest at gateway
level makes sense.
Why not have the fastest on GW and WKS when the product combines
AV-engines? You will always have a fast detection on both leves?! You might
ask doesn't several engines mean low performance?
Yes and no. Nomally openeing a file from HDD takes much more time than to
scan it so the over head is reasonable. Implementing several engines does
not mean that every file is analyzed by each engine. Each engine has its
pro's and con's. In an outbreak situatuion the vendor will decide to
publish an update for that machine that has the fastest technology to
implement the update, later he will have the detection for all engines and
finally he will drop the detection from the engines that have an
inacceptable performance impact (maybe it is the one that was used in the
You see that implementing several engines to the same product today does
not have the primary goal to increase detection rates but detection speed.
Hope this helps. For more discussion you can meet me at CeBIT (Hall 7 - D14).
More information about the list