If antivirus products were built with customers in mind, all would generate a similar message that could be filtered by customer system administrators to help reduce the amount of "noise" and collateral damage experienced during a malicious code outbreak. Martin discusses fifteen different "virus detected" messages that he encountered during the Novarg incident -- had there been a standard message, users and system administrators would have a far easier time addressing the outbreak itself instead of also dealing with a sizable volume of hard-to-filter e-mail detritus. If anyone wants to help draft a RFC on this, please contact me -- we can help bring order to this vendor-instituted chaos. (As it is, a few power users have written Unix-based procmail rules to remedy this, but it's not an easy solution for the average user.)
Finally, there's the ethics of the antivirus industry. Martin shows several vendors blatantly advertising their products in their server-generated "virus detected" messages, and also using malicious code outbreaks to hawk their overall product lines through unsolicited e-mails (e.g., spam) bearing a subject line of "Security Advisory" and the name of the latest outbreak. Is this "advisory" really for the benefit of the internet community or the antivirus product vendor? It's like an airline releasing post-September-11 advertisements saying "Security Alert: Hijackings can be prevented -- come fly with us, our cockpit doors are reinforced and the best in the industry!"
The Novarg incident clearly underscores the need for reform in the antivirus industry. A few industry-wide reforms, such as those mentioned in this article, will go a long way toward making the antivirus industry both more reputable and useful for its customers while truly improving security on the Internet. These changes are not difficult to implement and can be done on the cheap. Unfortunately, absent such changes, as recent events show, the antivirus industry will continue contributing significantly to internet security problems instead of helping reduce them.
Copyright (c) 2004 by Author. Permission granted to reproduce with credit.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.