More to the point -- in the case of e-mail-borne outbreaks, when these sensors detect a piece of malicious code, they generate an error message back to whomever the server *thinks* sent the message, obviously ignoring the fact that the majority of such alleged users had absolutely nothing to do with the outbreak or that their e-mail address was harvested (or spoofed) from someone else's inbox as they got infected. Accordingly, large segments of the Internet receive automatically-generated virus alert messages blaming them for something they likely didn't do; a situation made worse when receiving different alerts from different products that use a different name for the same attack!
Not only is there no standard nomenclature for "virus detected" messages from antivirus servers but these "virus detected" messages themselves often function as surrogate attack mechanisms. Sometimes this message is a clear warning in plain text, and other times it's full of cryptic jargon. Incredibly, some products even return a warning message with the malicious code still attached -- meaning a greater chance of propagating the outbreak it's trying to mitigate! (Security consultant Brian Martin provides a fantastic discussion of this issue at Attrition.Org.)
Handling the sheer volume of such server-generated "virus detected" messages can be a daunting task. Early in the recent Novarg incident, I received 319 such messages during a twenty-four hour period, including many that were still infected with the worm. Now imagine a user on a pokey dial-up line or a CIO supporting an enterprise with thousands of users on high-speed networks and with systems that never sleep. Of course, users may be tempted to filter all server error messages, but that's not a reliable solution because doing so would also block legitimate mail server error messages (e.g., if the intended recipient has moved or has a full mailbox.) Ergo, we're stuck with a large number of diverse-yet-related server error messages that clog bandwidth and require a dedicated amount of time to develop and test custom filters while allowing other legitimate error messages to pass.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.