The Anti-Virus Industry Scam
by Richard Forno - - Monday, 16 February 2004.
More to the point -- in the case of e-mail-borne outbreaks, when these sensors detect a piece of malicious code, they generate an error message back to whomever the server *thinks* sent the message, obviously ignoring the fact that the majority of such alleged users had absolutely nothing to do with the outbreak or that their e-mail address was harvested (or spoofed) from someone else's inbox as they got infected. Accordingly, large segments of the Internet receive automatically-generated virus alert messages blaming them for something they likely didn't do; a situation made worse when receiving different alerts from different products that use a different name for the same attack!

Not only is there no standard nomenclature for "virus detected" messages from antivirus servers but these "virus detected" messages themselves often function as surrogate attack mechanisms. Sometimes this message is a clear warning in plain text, and other times it's full of cryptic jargon. Incredibly, some products even return a warning message with the malicious code still attached -- meaning a greater chance of propagating the outbreak it's trying to mitigate! (Security consultant Brian Martin provides a fantastic discussion of this issue at Attrition.Org.)

Handling the sheer volume of such server-generated "virus detected" messages can be a daunting task. Early in the recent Novarg incident, I received 319 such messages during a twenty-four hour period, including many that were still infected with the worm. Now imagine a user on a pokey dial-up line or a CIO supporting an enterprise with thousands of users on high-speed networks and with systems that never sleep. Of course, users may be tempted to filter all server error messages, but that's not a reliable solution because doing so would also block legitimate mail server error messages (e.g., if the intended recipient has moved or has a full mailbox.) Ergo, we're stuck with a large number of diverse-yet-related server error messages that clog bandwidth and require a dedicated amount of time to develop and test custom filters while allowing other legitimate error messages to pass.

How many such "virus detected" messages must be received before a malicious code event becomes a denial of service one? How about when antivirus software sends a "virus detected" message containing the detected malicious code (and spreads the outbreak) to a third party? At what point does the antivirus software become more of a problem for the Internet than the original outbreak? Should antivirus servers also exhibit responsibility to the Internet community at large by not propagating detected malicious code elsewhere? Even if we're not directly attacked, the collateral damage from a malicious code outbreak costs us time and money to remedy. (Antivirus vendors take note.)

If antivirus products were built with customers in mind, all would generate a similar message that could be filtered by customer system administrators to help reduce the amount of "noise" and collateral damage experienced during a malicious code outbreak. Martin discusses fifteen different "virus detected" messages that he encountered during the Novarg incident -- had there been a standard message, users and system administrators would have a far easier time addressing the outbreak itself instead of also dealing with a sizable volume of hard-to-filter e-mail detritus. If anyone wants to help draft a RFC on this, please contact me -- we can help bring order to this vendor-instituted chaos. (As it is, a few power users have written Unix-based procmail rules to remedy this, but it's not an easy solution for the average user.)


Proactive real-time security intelligence: Moving beyond conventional SIEM

Discussions about security intelligence still focus primarily around conventional reactive SIEM. Security pros need to move from this reactive model to proactively using this security intelligence to protect their businesses.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Aug 28th