[unisog] Request Opinions on Anti-Virus Software

Gary Flynn flynngn at jmu.edu
Sat Jun 4 00:18:34 GMT 2005


Andy Johnston wrote:

>Hi, folks.
>
>UMBC has a site license McAfee Anti-Virus software and a server on our
>network that mirrors DAT updates.  We've noticed that we are frequently
>seeing malware infecting campus systems well before (sometimes several
>days) the DAT update that handles the problem appears.
>
>Has anyone else had similar problems?
>  
>
We see the same thing with Symantec. Except for unusual
conditions, the updates available using their LiveUpdate
service lag the ones available for manual download
on their Intelligent Updater site by a couple days.

I've never seen more than a day pass without
an update being available for something previously
undetected and its usually the case when I submit a
sample, its already identified and in their rapid releases.

We've updated our cleanup instructions to include the
manual update process because the malware is
morphing so fast.

There are risks associated with pumping stuff out too
quickly too. There were lots of press reports recently
about how a different vendor was recently burned
when they shipped a defective update causing their
customers lots of problems. I don't know if they have
two channels or a lag time but I'd guess not given the
incident.

When you get your hands on new malware, submit it to
http://www.virustotal.com/xhtml/index_en.html and that
should give you an idea on the relative speed of detection
capabilities. I don't know what signatures the site uses
when real-time and normal channels are available from
a vendor.

I'm reasonably happy with the response we've seen
from Symantec although the multi-day lag between
their intelligent updater site and their live update site
seems a bit excessive. Perhaps they're just being
conservative. Now that I think about it, we had an
instance a while back where around 150 computers
were reported as being infected when they were
actually fine (made for an eye opening morning).
I don't remember off the top of my head how
they were being updated.

I've come to the conclusion that signature based
anti-virus software has seen its best days. Things
are changing to fast for it to keep up. I like what
little I've seen of Microsoft's approach with its
anti-spyware tool - it looks more like a host intrusion
prevention product monitoring behaviors. That type
of functionality and/or similar protection by running
as a non-administrator account and/or with software
restrictions enabled (or changes in day to day
operator behavior) will be required to make any
significant impact on the rate of infections.


Gary Flynn
James Madison University


More information about the unisog mailing list