As a result of antivirus industry marketing, customer ignorance, and easily-exploitable operating systems and enterprise servers, it's rare to find a wired organization without antivirus software on their mail servers or corporate gateways. These sensors are on constant prowl for the latest malicious code attack and are intended to defend their host network from future outbreaks based on existing attack signatures. In other words, these products only defend what they know how to defend; meaning that unless a network administrator keeps his antivirus software current (sometimes on a daily basis) it's quite easy for the "next best" attack to create havoc on his allegedly-protected network, much to the satisfaction of the antivirus industry. Then the game begins afresh - while costs mount for customers and profits rise for antivirus software vendors.

More to the point -- in the case of e-mail-borne outbreaks, when these sensors detect a piece of malicious code, they generate an error message back to whomever the server *thinks* sent the message, obviously ignoring the fact that the majority of such alleged users had absolutely nothing to do with the outbreak or that their e-mail address was harvested (or spoofed) from someone else's inbox as they got infected. Accordingly, large segments of the Internet receive automatically-generated virus alert messages blaming them for something they likely didn't do; a situation made worse when receiving different alerts from different products that use a different name for the same attack!


Not only is there no standard nomenclature for "virus detected" messages from antivirus servers but these "virus detected" messages themselves often function as surrogate attack mechanisms. Sometimes this message is a clear warning in plain text, and other times it's full of cryptic jargon. Incredibly, some products even return a warning message with the malicious code still attached -- meaning a greater chance of propagating the outbreak it's trying to mitigate! (Security consultant Brian Martin provides a fantastic discussion of this issue at Attrition.Org.)

Handling the sheer volume of such server-generated "virus detected" messages can be a daunting task. Early in the recent Novarg incident, I received 319 such messages during a twenty-four hour period, including many that were still infected with the worm. Now imagine a user on a pokey dial-up line or a CIO supporting an enterprise with thousands of users on high-speed networks and with systems that never sleep. Of course, users may be tempted to filter all server error messages, but that's not a reliable solution because doing so would also block legitimate mail server error messages (e.g., if the intended recipient has moved or has a full mailbox.) Ergo, we're stuck with a large number of diverse-yet-related server error messages that clog bandwidth and require a dedicated amount of time to develop and test custom filters while allowing other legitimate error messages to pass.