[Dshield] AntiVirus Pattern Release Stats

Matthias Jaenichen mj2 at percomp.de
Fri Mar 4 07:22:00 GMT 2005

At 10:44 03.03.2005 -0600, Holmes, Alan wrote:
>Is anyone aware of a website or other resource that tracks and has reports
>on the timeliness with which antivirus companies make virus definitions
>The reason I ask is I am very frustrated with our current antivirus vendor
>as they are ROUTINELY at the bottom of the list for pattern releases of the
>vendors that I check when a new threat is detected.
>For example, the other day when the new Bagel/Beagle/ToSoo variant broke, I
>saw some vendors had detection available at 10:30PM my time on Sunday while
>the vendor we use didn't have detection available until almost 11:00AM the
>following day after several of our users had already received it in their
>email.  This, of course, created a lot of headaches and extra work.
>I'm looking to use this type of data as a justification for ditching our
>current vendor.
>Thanks for any input anyone can offer.

Have a ook at AV-TEST.ORG http://www.av-test.org/index.php3?lang=en they do 
a constant tracking.

This is their presentation on last years Virus Bulletin Conference

This link is in German, but you will be able to understand the tables ;-)

But neither McAfee nor Trend nor NAV produce acceptable figures. NAV and 
McAfee have just announced to increase the publically available tested 
DB-Updates to several times a week, but in case of an emergency/outbreak 
you still have to rely on the BETAs and put on your local DB-Server 
manually (certainly with the full risk of BETA beeing used on production!!).

There are two points here to consider (also think "worm" when I use "virus"):

1.) The gateway is the first to stop a virus, but it is also the only 
system that will NOT become infected itself. It only store infected mails. 
The GW is up 24h and will always have mails in the MailFolders that have 
not been scanned with the latest update.  Running a scan on the full 
MailFolders every time you receive an update is also impossible due to the 
amount of data. Too fast, too lazy tested DBs can down your Mailserver.

2.) The workstation is the one to open and execute a virus, so it CAN 
become infected itself and start distributing the virus. The WKS is only up 
8h a day and many outbreaks are started during the night. By the time the 
workstations get started, patterns have already been tested in production 
(and maybe revised) and the workstation is well protected. But finally you 
still need the user to start the virus.

What does it mean? Receiving mail is NOT mission critical (at least it must 
not be, because it is unreliable per se). Accounting, billing and sales are 
mission critical to a company and they should have the focus.

Cascading AV-solutions is a popular way, but having the fastest at gateway 
level makes sense.

Why not have the fastest on GW and WKS when the product combines 
AV-engines? You will always have a fast detection on both leves?! You might 
ask doesn't several engines mean low performance?

Yes and no. Nomally openeing a file from HDD takes much more time than to 
scan it so the over head is reasonable. Implementing several engines does 
not mean that every file is analyzed by each engine. Each engine has its 
pro's and con's. In an outbreak situatuion the vendor will decide to 
publish an update for that machine that has the fastest technology to 
implement the update, later he will have the detection for all engines and 
finally he will drop the detection from the engines that have an 
inacceptable performance impact (maybe it is the one that was used in the 
firts place).

You see that implementing several engines to the same product today does 
not have the primary goal to increase detection rates but detection speed.

Hope this helps. For more discussion you can meet me at CeBIT (Hall 7 - D14).

Matthias Jaenichen

More information about the list mailing list