Imagine that your office building was on fire, and you called
the fire department, only to be told, “Please wait there
while we invent a new method to fight the kind of fire you have.”
You’d be furious! You’d expect the firefighters to rush to your
building immediately, ready to fight whatever kind of fire they found.
Unfortunately, anti-virus services are forced into a scenario that no
firefighter would accept: “We have to invent new defenses every day.”
Anti-virus software can predict and prevent some never-before-seen viruses.
But all too often, a new virus can spread unchecked while software vendors
develop and distribute a new “signature” file that can match the virus
and kill it.
The Time Lag Between Discovery and Disinfection
Just how long is the period between a new virus getting “into the wild”
and an effective antidote getting into your company’s anti-virus arsenal?
To answer that question, I turned to
AV-Test.org,
a group of researchers which has studied anti-virus technology for years.
AV-Test is not as well-known in the United States as it should be, possibly
because the group is located in Germany at the Otto von Guericke University
Magdeburg. Many of the organization’s articles have been published in
German computer magazines that have no English editions — but I hope
that’ll change.
I interviewed by telephone Andreas Marx, manager of AV-Test, to get
his view of anti-virus response times. He provided me with test results
showing how long it took 23 major anti-virus programs worldwide
to come up with new signature files during the past several weeks.
“I hope this will decrease the time it takes updates to get released,”
Marx told me, explaining why he feels sharing the information is important.
Finding — and Fighting — New Virus Threats
The new signature files involved in this horse race were developed to fight
four novel viruses that weren’t being caught by the preventive
or “heuristic” techniques of most anti-virus programs. These four new
viruses are known as Dumaru.Y, MyDoom.A, Bagle.A and Bagle.B.
AV-Test uses special scripts to check the servers at anti-virus
companies every five minutes, looking for new signature files. It then
calculates the time between each virus being first spotted somewhere in
the world by the MessageLabs consulting group and the time when each anti-virus
service has a working fix available to the public (not counting beta
versions available only to testers).
According to the organization’s data,
these are the average lag times, in hours and minutes, for each program
during the test period:
  H:M   Anti-Virus Program
 06:51  Kaspersky
 08:21  Bitdefender
 08:45  Virusbuster
 09:08  F-Secure
 09:16  F-Prot
 09:16  RAV
 09:24  AntiVir
 10:31  Quickheal
 10:52  InoculateIT-CA
 11:30  Ikarus
 12:00  AVG
 12:17  Avast
 12:22  Sophos
 12:31  Dr. Web
 13:06  Trend Micro
 13:10  Norman
 13:59  Command
 14:04  Panda
 17:16  Esafe
 24:12  A2
 26:11  McAfee
 27:10  Symantec
 29:45  InoculateIT-VET
The averages vary from about 7 hours per virus to more than one full
day (almost 30 hours).
It’s important to note two things about the figures in the table above:
• Some of the programs were able to detect some of the viruses in the
testing period heuristically — without needing an update. Ikarus,
Quickheal, and Virusbuster were able to do this with the Dumaru.Y virus,
whereas Norman and RAV were able to do it with Bagle.B. In those cases, the
anti-virus program was assigned a response time of zero for that one virus.
This reduced those vendors’ average response times.
• On the other hand, A2 had not posted a signature for the Bagle.B virus
within three days, when the test period ended. This program, therefore, was
assigned a response time of 35 hours in this instance. If this virus had not
been considered in the statistics, A2’s average response time would have been
reduced to 15:26 rather than 24:12.
Distributing the Fix Is As Important As Developing It
Aside from the immediate problem of developing signature files that can
detect new viruses, there’s another element to a good anti-virus service.
The new signatures must be distributed to corporate and individual customers
across the Internet, using the infrastructure the provider has built.
In a PDF white paper released in February and entitled
“Outbreak
Response Times,” AV-Test shows that the frequency with which
anti-virus companies update their software online varies widely. Although new
signatures are sometimes posted very quickly in special cases, many major
anti-virus services schedule regular online updates only once or twice a week,
AV-Test says. Other providers, such as
F-Secure, schedule updates
seven times a week, while
Kaspersky
Labs schedules them 20 times a week, according to AV-Test’s
figures.
Updating Anti-Virus Signatures Around the Clock
Actually, says Antony Holdsworth, technical consultant for Kaspersky Labs’
United Kingdom office, his company recently started posting a new signature
file on its servers every three hours.
“We’re seeing about 300 new viruses a week,” Holdsworth explains.
“There are always new anti-virus signatures to post,” even with updates
scheduled eight times a day, he adds.
Kaspersky schedules new signature files the most often — and earned
the fastest average response times in AV-Test’s real-time trials, shown
above — because the company has a large number of people around the
world analyzing viruses and developing cures, Holdsworth says.
Conclusion
Your company may not feel it has a virus problem. Some corporations think they
can prevent viruses by stripping all attachments out of incoming e-mail.
“But people use workarounds like Hotmail to get attachments,” AV-Test’s
Marx says.
If you do find yourself coping with new viruses all too often,
the response time of your anti-virus service may be a factor you’ll
want to take a good, hard look at.
Want to discuss the issues raised in this column? Take it over to our IT Management Forum.